diff --git a/core-codemods/src/main/java/io/codemodder/codemods/codeql/CodeQLXSSCodemod.java b/core-codemods/src/main/java/io/codemodder/codemods/codeql/CodeQLXSSCodemod.java index 8675f7444..65adbcbe5 100644 --- a/core-codemods/src/main/java/io/codemodder/codemods/codeql/CodeQLXSSCodemod.java +++ b/core-codemods/src/main/java/io/codemodder/codemods/codeql/CodeQLXSSCodemod.java @@ -48,8 +48,6 @@ public CodemodFileScanningResult visit( r -> Optional.ofNullable( r.getLocations().get(0).getPhysicalLocation().getRegion().getEndLine()), - r -> - Optional.ofNullable( - r.getLocations().get(0).getPhysicalLocation().getRegion().getStartColumn())); + r -> Optional.empty()); } } diff --git a/core-codemods/src/test/java/io/codemodder/codemods/codeql/CodeQLHttpResponseSplittingCodemodTest.java b/core-codemods/src/test/java/io/codemodder/codemods/codeql/CodeQLHttpResponseSplittingCodemodTest.java new file mode 100644 index 000000000..30a03dee4 --- /dev/null +++ b/core-codemods/src/test/java/io/codemodder/codemods/codeql/CodeQLHttpResponseSplittingCodemodTest.java @@ -0,0 +1,15 @@ +package io.codemodder.codemods.codeql; + +import io.codemodder.DependencyGAV; +import io.codemodder.testutils.CodemodTestMixin; +import io.codemodder.testutils.Metadata; + +@Metadata( + codemodType = CodeQLHttpResponseSplittingCodemod.class, + testResourceDir = "codeql-http-response-splitting", + expectingFixesAtLines = {155}, + doRetransformTest = false, + renameTestFile = + "app/src/main/java/org/apache/roller/weblogger/webservices/oauth/AuthorizationServlet.java", + dependencies = DependencyGAV.JAVA_SECURITY_TOOLKIT_GAV) +final class CodeQLHttpResponseSplittingCodemodTest implements CodemodTestMixin {} diff --git a/core-codemods/src/test/java/io/codemodder/codemods/codeql/CodeQLXSSCodemodTest.java b/core-codemods/src/test/java/io/codemodder/codemods/codeql/CodeQLXSSCodemodTest.java new file mode 100644 index 000000000..44ffbc9ba --- /dev/null +++ b/core-codemods/src/test/java/io/codemodder/codemods/codeql/CodeQLXSSCodemodTest.java @@ -0,0 +1,14 @@ +package io.codemodder.codemods.codeql; + +import io.codemodder.testutils.CodemodTestMixin; +import io.codemodder.testutils.Metadata; + +@Metadata( + codemodType = CodeQLXSSCodemod.class, + testResourceDir = "codeql-xss", + renameTestFile = + "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + expectingFixesAtLines = 302, + doRetransformTest = false, + dependencies = {}) +final class CodeQLXSSCodemodTest implements CodemodTestMixin {} diff --git a/core-codemods/src/test/resources/codeql-http-response-splitting/AuthorizationServlet.java.after b/core-codemods/src/test/resources/codeql-http-response-splitting/AuthorizationServlet.java.after new file mode 100644 index 000000000..72a9417b2 --- /dev/null +++ b/core-codemods/src/test/resources/codeql-http-response-splitting/AuthorizationServlet.java.after @@ -0,0 +1,171 @@ +/* + * Copyright 2007 AOL, LLC. + * Portions Copyright 2009 Apache Software Foundation + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.roller.weblogger.webservices.oauth; + +import java.io.IOException; +import java.io.PrintWriter; + +import javax.servlet.ServletException; +import javax.servlet.http.HttpServlet; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +import net.oauth.OAuth; +import net.oauth.OAuthAccessor; +import net.oauth.OAuthMessage; +import net.oauth.server.OAuthServlet; +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; +import org.apache.roller.weblogger.business.OAuthManager; +import org.apache.roller.weblogger.business.WebloggerFactory; + +/** + * Authorization request handler. + * + * @author Praveen Alavilli + * @author Dave Johnson (adapted for Roller) + */ +public class AuthorizationServlet extends HttpServlet { + protected static final Log log = LogFactory.getFactory().getInstance(AuthorizationServlet.class); + + @Override + public void doGet(HttpServletRequest request, HttpServletResponse response) + throws IOException, ServletException { + + try{ + OAuthMessage requestMessage = OAuthServlet.getMessage(request, null); + + OAuthManager omgr = WebloggerFactory.getWeblogger().getOAuthManager(); + OAuthAccessor accessor = omgr.getAccessor(requestMessage); + + if (Boolean.TRUE.equals(accessor.getProperty("authorized"))) { + // already authorized send the user back + returnToConsumer(request, response, accessor); + } else { + sendToAuthorizePage(request, response, accessor); + } + + } catch (Exception e){ + handleException(e, request, response, true); + } + } + + @Override + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws IOException, ServletException { + + try{ + OAuthMessage requestMessage = OAuthServlet.getMessage(request, null); + + OAuthManager omgr = WebloggerFactory.getWeblogger().getOAuthManager(); + OAuthAccessor accessor = omgr.getAccessor(requestMessage); + + String userId = request.getParameter("userId"); + if (userId == null) { + userId = request.getParameter("xoauth_requestor_id"); + } + + if (userId == null) { + // no user associted with the key, must be site-wide key, + // so get user to login and do the authorization process + sendToAuthorizePage(request, response, accessor); + + } else { + + // if consumer key is for specific user, check username match + String consumerUserId = (String)accessor.consumer.getProperty("userId"); + if (consumerUserId != null && !userId.equals(consumerUserId)) { + throw new ServletException("ERROR: invalid or unspecified userId"); + } + + // set userId in accessor and mark it as authorized + omgr.markAsAuthorized(accessor, userId); + WebloggerFactory.getWeblogger().flush(); + } + + returnToConsumer(request, response, accessor); + + } catch (Exception e){ + handleException(e, request, response, true); + } + } + + private void sendToAuthorizePage(HttpServletRequest request, + HttpServletResponse response, OAuthAccessor accessor) + throws IOException, ServletException{ + String callback = request.getParameter("oauth_callback"); + if(callback == null || callback.length() <=0) { + callback = "none"; + } + String consumer_description = (String)accessor.consumer.getProperty("description"); + request.setAttribute("CONS_DESC", consumer_description); + request.setAttribute("CALLBACK", callback); + request.setAttribute("TOKEN", accessor.requestToken); + request.getRequestDispatcher("/roller-ui/oauthAuthorize.rol").forward(request, response); + } + + private void returnToConsumer(HttpServletRequest request, + HttpServletResponse response, OAuthAccessor accessor) + throws IOException, ServletException { + + // send the user back to site's callBackUrl + String callback = request.getParameter("oauth_callback"); + if ("none".equals(callback) + && accessor.consumer.callbackURL != null + && accessor.consumer.callbackURL.length() > 0){ + // first check if we have something in our properties file + callback = accessor.consumer.callbackURL; + } + + if ( "none".equals(callback) ) { + // no call back it must be a client + response.setContentType("text/plain"); + try (PrintWriter out = response.getWriter()) { + out.println("You have successfully authorized for consumer key '" + + accessor.consumer.consumerKey + + "'. Please close this browser window and click continue" + + " in the client."); + } + } else { + // if callback is not passed in, use the callback from config + if(callback == null || callback.length() <=0 ) { + callback = accessor.consumer.callbackURL; + } + String token = accessor.requestToken; + if (token != null && callback != null) { + callback = OAuth.addParameters(callback, "oauth_token", token); + } + + response.setStatus(HttpServletResponse.SC_MOVED_TEMPORARILY); + response.setHeader("Location", stripNewlines(callback)); + } + } + + public void handleException(Exception e, HttpServletRequest request, + HttpServletResponse response, boolean sendBody) + throws IOException, ServletException { + log.debug("ERROR authorizing token", e); + String realm = (request.isSecure())?"https://":"http://"; + realm += request.getLocalName(); + OAuthServlet.handleException(response, e, realm, sendBody); + } + + private static String stripNewlines(final String s) { + return s.replaceAll("[\n\r]", ""); + } +} diff --git a/core-codemods/src/test/resources/codeql-http-response-splitting/AuthorizationServlet.java.before b/core-codemods/src/test/resources/codeql-http-response-splitting/AuthorizationServlet.java.before new file mode 100644 index 000000000..92f3b40a6 --- /dev/null +++ b/core-codemods/src/test/resources/codeql-http-response-splitting/AuthorizationServlet.java.before @@ -0,0 +1,167 @@ +/* + * Copyright 2007 AOL, LLC. + * Portions Copyright 2009 Apache Software Foundation + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.roller.weblogger.webservices.oauth; + +import java.io.IOException; +import java.io.PrintWriter; + +import javax.servlet.ServletException; +import javax.servlet.http.HttpServlet; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +import net.oauth.OAuth; +import net.oauth.OAuthAccessor; +import net.oauth.OAuthMessage; +import net.oauth.server.OAuthServlet; +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; +import org.apache.roller.weblogger.business.OAuthManager; +import org.apache.roller.weblogger.business.WebloggerFactory; + +/** + * Authorization request handler. + * + * @author Praveen Alavilli + * @author Dave Johnson (adapted for Roller) + */ +public class AuthorizationServlet extends HttpServlet { + protected static final Log log = LogFactory.getFactory().getInstance(AuthorizationServlet.class); + + @Override + public void doGet(HttpServletRequest request, HttpServletResponse response) + throws IOException, ServletException { + + try{ + OAuthMessage requestMessage = OAuthServlet.getMessage(request, null); + + OAuthManager omgr = WebloggerFactory.getWeblogger().getOAuthManager(); + OAuthAccessor accessor = omgr.getAccessor(requestMessage); + + if (Boolean.TRUE.equals(accessor.getProperty("authorized"))) { + // already authorized send the user back + returnToConsumer(request, response, accessor); + } else { + sendToAuthorizePage(request, response, accessor); + } + + } catch (Exception e){ + handleException(e, request, response, true); + } + } + + @Override + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws IOException, ServletException { + + try{ + OAuthMessage requestMessage = OAuthServlet.getMessage(request, null); + + OAuthManager omgr = WebloggerFactory.getWeblogger().getOAuthManager(); + OAuthAccessor accessor = omgr.getAccessor(requestMessage); + + String userId = request.getParameter("userId"); + if (userId == null) { + userId = request.getParameter("xoauth_requestor_id"); + } + + if (userId == null) { + // no user associted with the key, must be site-wide key, + // so get user to login and do the authorization process + sendToAuthorizePage(request, response, accessor); + + } else { + + // if consumer key is for specific user, check username match + String consumerUserId = (String)accessor.consumer.getProperty("userId"); + if (consumerUserId != null && !userId.equals(consumerUserId)) { + throw new ServletException("ERROR: invalid or unspecified userId"); + } + + // set userId in accessor and mark it as authorized + omgr.markAsAuthorized(accessor, userId); + WebloggerFactory.getWeblogger().flush(); + } + + returnToConsumer(request, response, accessor); + + } catch (Exception e){ + handleException(e, request, response, true); + } + } + + private void sendToAuthorizePage(HttpServletRequest request, + HttpServletResponse response, OAuthAccessor accessor) + throws IOException, ServletException{ + String callback = request.getParameter("oauth_callback"); + if(callback == null || callback.length() <=0) { + callback = "none"; + } + String consumer_description = (String)accessor.consumer.getProperty("description"); + request.setAttribute("CONS_DESC", consumer_description); + request.setAttribute("CALLBACK", callback); + request.setAttribute("TOKEN", accessor.requestToken); + request.getRequestDispatcher("/roller-ui/oauthAuthorize.rol").forward(request, response); + } + + private void returnToConsumer(HttpServletRequest request, + HttpServletResponse response, OAuthAccessor accessor) + throws IOException, ServletException { + + // send the user back to site's callBackUrl + String callback = request.getParameter("oauth_callback"); + if ("none".equals(callback) + && accessor.consumer.callbackURL != null + && accessor.consumer.callbackURL.length() > 0){ + // first check if we have something in our properties file + callback = accessor.consumer.callbackURL; + } + + if ( "none".equals(callback) ) { + // no call back it must be a client + response.setContentType("text/plain"); + try (PrintWriter out = response.getWriter()) { + out.println("You have successfully authorized for consumer key '" + + accessor.consumer.consumerKey + + "'. Please close this browser window and click continue" + + " in the client."); + } + } else { + // if callback is not passed in, use the callback from config + if(callback == null || callback.length() <=0 ) { + callback = accessor.consumer.callbackURL; + } + String token = accessor.requestToken; + if (token != null && callback != null) { + callback = OAuth.addParameters(callback, "oauth_token", token); + } + + response.setStatus(HttpServletResponse.SC_MOVED_TEMPORARILY); + response.setHeader("Location", callback); + } + } + + public void handleException(Exception e, HttpServletRequest request, + HttpServletResponse response, boolean sendBody) + throws IOException, ServletException { + log.debug("ERROR authorizing token", e); + String realm = (request.isSecure())?"https://":"http://"; + realm += request.getLocalName(); + OAuthServlet.handleException(response, e, realm, sendBody); + } +} diff --git a/core-codemods/src/test/resources/codeql-http-response-splitting/out.sarif b/core-codemods/src/test/resources/codeql-http-response-splitting/out.sarif new file mode 100644 index 000000000..3879d8f42 --- /dev/null +++ b/core-codemods/src/test/resources/codeql-http-response-splitting/out.sarif @@ -0,0 +1,51061 @@ +{ + "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json", + "version": "2.1.0", + "runs": [ + { + "tool": { + "driver": { + "name": "CodeQL", + "semanticVersion": "2.19.3" + }, + "extensions": [ + { + "name": "codeql/java-queries", + "semanticVersion": "1.1.8+39a67b6e2e6490a9bd010db50e148f647765e9f7", + "rules": [ + { + "id": "java/android/debuggable-attribute-enabled", + "name": "java/android/debuggable-attribute-enabled", + "shortDescription": { + "text": "Android debuggable attribute enabled" + }, + "fullDescription": { + "text": "An enabled debugger can allow for entry points in the application or reveal sensitive information." + }, + "defaultConfiguration": {}, + "help": { + "text": "# Android debuggable attribute enabled\nThe Android manifest file defines configuration settings for Android applications. In this file, the `android:debuggable` attribute of the `application` element can be used to define whether or not the application can be debugged. When set to `true`, this attribute will allow the application to be debugged even when running on a device in user mode.\n\nWhen a debugger is enabled, it could allow for entry points in the application or reveal sensitive information. As a result, `android:debuggable` should only be enabled during development and should be disabled in production builds.\n\n\n## Recommendation\nIn Android applications, either set the `android:debuggable` attribute to `false`, or do not include it in the manifest. The default value, when not included, is `false`.\n\n\n## Example\nIn the example below, the `android:debuggable` attribute is set to `true`.\n\n\n```xml\n\n \n \n \n \n \n\n\n```\nThe corrected version sets the `android:debuggable` attribute to `false`.\n\n\n```xml\n\n \n \n \n \n \n\n\n```\n\n## References\n* Android Developers: [App Manifest Overview](https://developer.android.com/guide/topics/manifest/manifest-intro).\n* Android Developers: [The android:debuggable attribute](https://developer.android.com/guide/topics/manifest/application-element#debug).\n* Android Developers: [Enable debugging](https://developer.android.com/studio/debug#enable-debug).\n* Common Weakness Enumeration: [CWE-489](https://cwe.mitre.org/data/definitions/489.html).\n", + "markdown": "# Android debuggable attribute enabled\nThe Android manifest file defines configuration settings for Android applications. In this file, the `android:debuggable` attribute of the `application` element can be used to define whether or not the application can be debugged. When set to `true`, this attribute will allow the application to be debugged even when running on a device in user mode.\n\nWhen a debugger is enabled, it could allow for entry points in the application or reveal sensitive information. As a result, `android:debuggable` should only be enabled during development and should be disabled in production builds.\n\n\n## Recommendation\nIn Android applications, either set the `android:debuggable` attribute to `false`, or do not include it in the manifest. The default value, when not included, is `false`.\n\n\n## Example\nIn the example below, the `android:debuggable` attribute is set to `true`.\n\n\n```xml\n\n \n \n \n \n \n\n\n```\nThe corrected version sets the `android:debuggable` attribute to `false`.\n\n\n```xml\n\n \n \n \n \n \n\n\n```\n\n## References\n* Android Developers: [App Manifest Overview](https://developer.android.com/guide/topics/manifest/manifest-intro).\n* Android Developers: [The android:debuggable attribute](https://developer.android.com/guide/topics/manifest/application-element#debug).\n* Android Developers: [Enable debugging](https://developer.android.com/studio/debug#enable-debug).\n* Common Weakness Enumeration: [CWE-489](https://cwe.mitre.org/data/definitions/489.html).\n" + }, + "properties": { + "tags": [ + "external/cwe/cwe-489", + "security" + ], + "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-489/DebuggableAttributeEnabled.ql", + "precision": "very-high", + "security-severity": "7.2" + } + }, + { + "id": "java/android/fragment-injection", + "name": "java/android/fragment-injection", + "shortDescription": { + "text": "Android fragment injection" + }, + "fullDescription": { + "text": "Instantiating an Android fragment from a user-provided value may allow a malicious application to bypass access controls, exposing the application to unintended effects." + }, + "defaultConfiguration": { + "level": "error" + }, + "help": { + "text": "# Android fragment injection\nWhen fragments are instantiated with externally provided names, this exposes any exported activity that dynamically creates and hosts the fragment to fragment injection. A malicious application could provide the name of an arbitrary fragment, even one not designed to be externally accessible, and inject it into the activity. This can bypass access controls and expose the application to unintended effects.\n\nFragments are reusable parts of an Android application's user interface. Even though a fragment controls its own lifecycle and layout, and handles its input events, it cannot exist on its own: it must be hosted either by an activity or another fragment. This means that, normally, a fragment will be accessible by third-party applications (that is, exported) only if its hosting activity is itself exported.\n\n\n## Recommendation\nIn general, do not instantiate classes (including fragments) with user-provided names unless the name has been properly validated. Also, if an exported activity is extending the `PreferenceActivity` class, make sure that the `isValidFragment` method is overriden and only returns `true` when the provided `fragmentName` points to an intended fragment.\n\n\n## Example\nThe following example shows two cases: in the first one, untrusted data is used to instantiate and add a fragment to an activity, while in the second one, a fragment is safely added with a static name.\n\n\n```java\npublic class MyActivity extends FragmentActivity {\n\n @Override\n protected void onCreate(Bundle savedInstance) {\n try {\n super.onCreate(savedInstance);\n // BAD: Fragment instantiated from user input without validation\n {\n String fName = getIntent().getStringExtra(\"fragmentName\");\n getFragmentManager().beginTransaction().replace(com.android.internal.R.id.prefs,\n Fragment.instantiate(this, fName, null)).commit();\n }\n // GOOD: Fragment instantiated statically\n {\n getFragmentManager().beginTransaction()\n .replace(com.android.internal.R.id.prefs, new MyFragment()).commit();\n }\n } catch (Exception e) {\n }\n }\n\n}\n\n```\nThe next example shows two activities that extend `PreferenceActivity`. The first activity overrides `isValidFragment`, but it wrongly returns `true` unconditionally. The second activity correctly overrides `isValidFragment` so that it only returns `true` when `fragmentName` is a trusted fragment name.\n\n\n```java\nclass UnsafeActivity extends PreferenceActivity {\n\n @Override\n protected boolean isValidFragment(String fragmentName) {\n // BAD: any Fragment name can be provided.\n return true;\n }\n}\n\n\nclass SafeActivity extends PreferenceActivity {\n @Override\n protected boolean isValidFragment(String fragmentName) {\n // Good: only trusted Fragment names are allowed.\n return SafeFragment1.class.getName().equals(fragmentName)\n || SafeFragment2.class.getName().equals(fragmentName)\n || SafeFragment3.class.getName().equals(fragmentName);\n }\n\n}\n\n\n```\n\n## References\n* Google Help: [How to fix Fragment Injection vulnerability](https://support.google.com/faqs/answer/7188427?hl=en).\n* IBM Security Systems: [Android collapses into Fragments](https://securityintelligence.com/wp-content/uploads/2013/12/android-collapses-into-fragments.pdf).\n* Android Developers: [Fragments](https://developer.android.com/guide/fragments)\n* Common Weakness Enumeration: [CWE-470](https://cwe.mitre.org/data/definitions/470.html).\n", + "markdown": "# Android fragment injection\nWhen fragments are instantiated with externally provided names, this exposes any exported activity that dynamically creates and hosts the fragment to fragment injection. A malicious application could provide the name of an arbitrary fragment, even one not designed to be externally accessible, and inject it into the activity. This can bypass access controls and expose the application to unintended effects.\n\nFragments are reusable parts of an Android application's user interface. Even though a fragment controls its own lifecycle and layout, and handles its input events, it cannot exist on its own: it must be hosted either by an activity or another fragment. This means that, normally, a fragment will be accessible by third-party applications (that is, exported) only if its hosting activity is itself exported.\n\n\n## Recommendation\nIn general, do not instantiate classes (including fragments) with user-provided names unless the name has been properly validated. Also, if an exported activity is extending the `PreferenceActivity` class, make sure that the `isValidFragment` method is overriden and only returns `true` when the provided `fragmentName` points to an intended fragment.\n\n\n## Example\nThe following example shows two cases: in the first one, untrusted data is used to instantiate and add a fragment to an activity, while in the second one, a fragment is safely added with a static name.\n\n\n```java\npublic class MyActivity extends FragmentActivity {\n\n @Override\n protected void onCreate(Bundle savedInstance) {\n try {\n super.onCreate(savedInstance);\n // BAD: Fragment instantiated from user input without validation\n {\n String fName = getIntent().getStringExtra(\"fragmentName\");\n getFragmentManager().beginTransaction().replace(com.android.internal.R.id.prefs,\n Fragment.instantiate(this, fName, null)).commit();\n }\n // GOOD: Fragment instantiated statically\n {\n getFragmentManager().beginTransaction()\n .replace(com.android.internal.R.id.prefs, new MyFragment()).commit();\n }\n } catch (Exception e) {\n }\n }\n\n}\n\n```\nThe next example shows two activities that extend `PreferenceActivity`. The first activity overrides `isValidFragment`, but it wrongly returns `true` unconditionally. The second activity correctly overrides `isValidFragment` so that it only returns `true` when `fragmentName` is a trusted fragment name.\n\n\n```java\nclass UnsafeActivity extends PreferenceActivity {\n\n @Override\n protected boolean isValidFragment(String fragmentName) {\n // BAD: any Fragment name can be provided.\n return true;\n }\n}\n\n\nclass SafeActivity extends PreferenceActivity {\n @Override\n protected boolean isValidFragment(String fragmentName) {\n // Good: only trusted Fragment names are allowed.\n return SafeFragment1.class.getName().equals(fragmentName)\n || SafeFragment2.class.getName().equals(fragmentName)\n || SafeFragment3.class.getName().equals(fragmentName);\n }\n\n}\n\n\n```\n\n## References\n* Google Help: [How to fix Fragment Injection vulnerability](https://support.google.com/faqs/answer/7188427?hl=en).\n* IBM Security Systems: [Android collapses into Fragments](https://securityintelligence.com/wp-content/uploads/2013/12/android-collapses-into-fragments.pdf).\n* Android Developers: [Fragments](https://developer.android.com/guide/fragments)\n* Common Weakness Enumeration: [CWE-470](https://cwe.mitre.org/data/definitions/470.html).\n" + }, + "properties": { + "tags": [ + "external/cwe/cwe-470", + "security" + ], + "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-470/FragmentInjection.ql", + "precision": "high", + "security-severity": "9.8" + } + }, + { + "id": "java/android/fragment-injection-preference-activity", + "name": "java/android/fragment-injection-preference-activity", + "shortDescription": { + "text": "Android fragment injection in PreferenceActivity" + }, + "fullDescription": { + "text": "An insecure implementation of the 'isValidFragment' method of the 'PreferenceActivity' class may allow a malicious application to bypass access controls, exposing the application to unintended effects." + }, + "defaultConfiguration": { + "level": "error" + }, + "help": { + "text": "# Android fragment injection in PreferenceActivity\nWhen fragments are instantiated with externally provided names, this exposes any exported activity that dynamically creates and hosts the fragment to fragment injection. A malicious application could provide the name of an arbitrary fragment, even one not designed to be externally accessible, and inject it into the activity. This can bypass access controls and expose the application to unintended effects.\n\nFragments are reusable parts of an Android application's user interface. Even though a fragment controls its own lifecycle and layout, and handles its input events, it cannot exist on its own: it must be hosted either by an activity or another fragment. This means that, normally, a fragment will be accessible by third-party applications (that is, exported) only if its hosting activity is itself exported.\n\n\n## Recommendation\nIn general, do not instantiate classes (including fragments) with user-provided names unless the name has been properly validated. Also, if an exported activity is extending the `PreferenceActivity` class, make sure that the `isValidFragment` method is overriden and only returns `true` when the provided `fragmentName` points to an intended fragment.\n\n\n## Example\nThe following example shows two cases: in the first one, untrusted data is used to instantiate and add a fragment to an activity, while in the second one, a fragment is safely added with a static name.\n\n\n```java\npublic class MyActivity extends FragmentActivity {\n\n @Override\n protected void onCreate(Bundle savedInstance) {\n try {\n super.onCreate(savedInstance);\n // BAD: Fragment instantiated from user input without validation\n {\n String fName = getIntent().getStringExtra(\"fragmentName\");\n getFragmentManager().beginTransaction().replace(com.android.internal.R.id.prefs,\n Fragment.instantiate(this, fName, null)).commit();\n }\n // GOOD: Fragment instantiated statically\n {\n getFragmentManager().beginTransaction()\n .replace(com.android.internal.R.id.prefs, new MyFragment()).commit();\n }\n } catch (Exception e) {\n }\n }\n\n}\n\n```\nThe next example shows two activities that extend `PreferenceActivity`. The first activity overrides `isValidFragment`, but it wrongly returns `true` unconditionally. The second activity correctly overrides `isValidFragment` so that it only returns `true` when `fragmentName` is a trusted fragment name.\n\n\n```java\nclass UnsafeActivity extends PreferenceActivity {\n\n @Override\n protected boolean isValidFragment(String fragmentName) {\n // BAD: any Fragment name can be provided.\n return true;\n }\n}\n\n\nclass SafeActivity extends PreferenceActivity {\n @Override\n protected boolean isValidFragment(String fragmentName) {\n // Good: only trusted Fragment names are allowed.\n return SafeFragment1.class.getName().equals(fragmentName)\n || SafeFragment2.class.getName().equals(fragmentName)\n || SafeFragment3.class.getName().equals(fragmentName);\n }\n\n}\n\n\n```\n\n## References\n* Google Help: [How to fix Fragment Injection vulnerability](https://support.google.com/faqs/answer/7188427?hl=en).\n* IBM Security Systems: [Android collapses into Fragments](https://securityintelligence.com/wp-content/uploads/2013/12/android-collapses-into-fragments.pdf).\n* Android Developers: [Fragments](https://developer.android.com/guide/fragments)\n* Common Weakness Enumeration: [CWE-470](https://cwe.mitre.org/data/definitions/470.html).\n", + "markdown": "# Android fragment injection in PreferenceActivity\nWhen fragments are instantiated with externally provided names, this exposes any exported activity that dynamically creates and hosts the fragment to fragment injection. A malicious application could provide the name of an arbitrary fragment, even one not designed to be externally accessible, and inject it into the activity. This can bypass access controls and expose the application to unintended effects.\n\nFragments are reusable parts of an Android application's user interface. Even though a fragment controls its own lifecycle and layout, and handles its input events, it cannot exist on its own: it must be hosted either by an activity or another fragment. This means that, normally, a fragment will be accessible by third-party applications (that is, exported) only if its hosting activity is itself exported.\n\n\n## Recommendation\nIn general, do not instantiate classes (including fragments) with user-provided names unless the name has been properly validated. Also, if an exported activity is extending the `PreferenceActivity` class, make sure that the `isValidFragment` method is overriden and only returns `true` when the provided `fragmentName` points to an intended fragment.\n\n\n## Example\nThe following example shows two cases: in the first one, untrusted data is used to instantiate and add a fragment to an activity, while in the second one, a fragment is safely added with a static name.\n\n\n```java\npublic class MyActivity extends FragmentActivity {\n\n @Override\n protected void onCreate(Bundle savedInstance) {\n try {\n super.onCreate(savedInstance);\n // BAD: Fragment instantiated from user input without validation\n {\n String fName = getIntent().getStringExtra(\"fragmentName\");\n getFragmentManager().beginTransaction().replace(com.android.internal.R.id.prefs,\n Fragment.instantiate(this, fName, null)).commit();\n }\n // GOOD: Fragment instantiated statically\n {\n getFragmentManager().beginTransaction()\n .replace(com.android.internal.R.id.prefs, new MyFragment()).commit();\n }\n } catch (Exception e) {\n }\n }\n\n}\n\n```\nThe next example shows two activities that extend `PreferenceActivity`. The first activity overrides `isValidFragment`, but it wrongly returns `true` unconditionally. The second activity correctly overrides `isValidFragment` so that it only returns `true` when `fragmentName` is a trusted fragment name.\n\n\n```java\nclass UnsafeActivity extends PreferenceActivity {\n\n @Override\n protected boolean isValidFragment(String fragmentName) {\n // BAD: any Fragment name can be provided.\n return true;\n }\n}\n\n\nclass SafeActivity extends PreferenceActivity {\n @Override\n protected boolean isValidFragment(String fragmentName) {\n // Good: only trusted Fragment names are allowed.\n return SafeFragment1.class.getName().equals(fragmentName)\n || SafeFragment2.class.getName().equals(fragmentName)\n || SafeFragment3.class.getName().equals(fragmentName);\n }\n\n}\n\n\n```\n\n## References\n* Google Help: [How to fix Fragment Injection vulnerability](https://support.google.com/faqs/answer/7188427?hl=en).\n* IBM Security Systems: [Android collapses into Fragments](https://securityintelligence.com/wp-content/uploads/2013/12/android-collapses-into-fragments.pdf).\n* Android Developers: [Fragments](https://developer.android.com/guide/fragments)\n* Common Weakness Enumeration: [CWE-470](https://cwe.mitre.org/data/definitions/470.html).\n" + }, + "properties": { + "tags": [ + "external/cwe/cwe-470", + "security" + ], + "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-470/FragmentInjectionInPreferenceActivity.ql", + "precision": "high", + "security-severity": "9.8" + } + }, + { + "id": "java/android/implicit-pendingintents", + "name": "java/android/implicit-pendingintents", + "shortDescription": { + "text": "Use of implicit PendingIntents" + }, + "fullDescription": { + "text": "Sending an implicit and mutable 'PendingIntent' to an unspecified third party component may provide an attacker with access to internal components of the application or cause other unintended effects." + }, + "defaultConfiguration": { + "level": "error" + }, + "help": { + "text": "# Use of implicit PendingIntents\nA `PendingIntent` is used to wrap an `Intent` that will be supplied and executed by another application. When the `Intent` is executed, it behaves as if it were run directly by the supplying application, using the privileges of that application.\n\nIf a `PendingIntent` is configured to be mutable, the fields of its internal `Intent` can be changed by the receiving application if they were not previously set. This means that a mutable `PendingIntent` that has not defined a destination component (that is, an implicit `PendingIntent`) can be altered to execute an arbitrary action with the privileges of the application that created it.\n\nA malicious application can access an implicit `PendingIntent` as follows:\n\n* It is wrapped and sent as an extra of another implicit `Intent`.\n* It is sent as the action of a `Slide`.\n* It is sent as the action of a `Notification`.\n\n\nOn gaining access, the attacker can modify the underlying `Intent` and execute an arbitrary action with elevated privileges. This could give the malicious application access to private components of the victim application, or the ability to perform actions without having the necessary permissions.\n\n\n## Recommendation\nAvoid creating implicit `PendingIntent`s. This means that the underlying `Intent` should always have an explicit destination component.\n\nWhen you add the `PendingIntent` as an extra of another `Intent`, make sure that this second `Intent` also has an explicit destination component, so that it is not delivered to untrusted applications.\n\nCreate the `PendingIntent` using the flag `FLAG_IMMUTABLE` whenever possible, to prevent the destination component from modifying empty fields of the underlying `Intent`.\n\n\n## Example\nIn the following examples, a `PendingIntent` is created and wrapped as an extra of another `Intent`.\n\nIn the first example, both the `PendingIntent` and the `Intent` it is wrapped in are implicit, making them vulnerable to attack.\n\nIn the second example, the issue is avoided by adding explicit destination components to the `PendingIntent` and the wrapping `Intent`.\n\nThe third example uses the `FLAG_IMMUTABLE` flag to prevent the underlying `Intent` from being modified by the destination component.\n\n\n```java\nimport android.app.Activity;\nimport android.app.PendingIntent;\nimport android.content.Intent;\nimport android.os.Bundle;\n\npublic class ImplicitPendingIntents extends Activity {\n\n\tpublic void onCreate(Bundle savedInstance) {\n\t\t{\n\t\t\t// BAD: an implicit Intent is used to create a PendingIntent.\n\t\t\t// The PendingIntent is then added to another implicit Intent\n\t\t\t// and started.\n\t\t\tIntent baseIntent = new Intent();\n\t\t\tPendingIntent pi =\n\t\t\t\t\tPendingIntent.getActivity(this, 0, baseIntent, PendingIntent.FLAG_ONE_SHOT);\n\t\t\tIntent fwdIntent = new Intent(\"SOME_ACTION\");\n\t\t\tfwdIntent.putExtra(\"fwdIntent\", pi);\n\t\t\tsendBroadcast(fwdIntent);\n\t\t}\n\n\t\t{\n\t\t\t// GOOD: both the PendingIntent and the wrapping Intent are explicit.\n\t\t\tIntent safeIntent = new Intent(this, AnotherActivity.class);\n\t\t\tPendingIntent pi =\n\t\t\t\t\tPendingIntent.getActivity(this, 0, safeIntent, PendingIntent.FLAG_ONE_SHOT);\n\t\t\tIntent fwdIntent = new Intent();\n\t\t\tfwdIntent.setClassName(\"destination.package\", \"DestinationClass\");\n\t\t\tfwdIntent.putExtra(\"fwdIntent\", pi);\n\t\t\tstartActivity(fwdIntent);\n\t\t}\n\n\t\t{\n\t\t\t// GOOD: The PendingIntent is created with FLAG_IMMUTABLE.\n\t\t\tIntent baseIntent = new Intent(\"SOME_ACTION\");\n\t\t\tPendingIntent pi =\n\t\t\t\t\tPendingIntent.getActivity(this, 0, baseIntent, PendingIntent.FLAG_IMMUTABLE);\n\t\t\tIntent fwdIntent = new Intent();\n\t\t\tfwdIntent.setClassName(\"destination.package\", \"DestinationClass\");\n\t\t\tfwdIntent.putExtra(\"fwdIntent\", pi);\n\t\t\tstartActivity(fwdIntent);\n\t\t}\n\t}\n}\n\n```\n\n## References\n* Google Help: [ Remediation for Implicit PendingIntent Vulnerability ](https://support.google.com/faqs/answer/10437428?hl=en)\n* University of Potsdam: [ PIAnalyzer: A precise approach for PendingIntent vulnerability analysis ](https://www.cs.uni-potsdam.de/se/papers/esorics18.pdf)\n* Common Weakness Enumeration: [CWE-927](https://cwe.mitre.org/data/definitions/927.html).\n", + "markdown": "# Use of implicit PendingIntents\nA `PendingIntent` is used to wrap an `Intent` that will be supplied and executed by another application. When the `Intent` is executed, it behaves as if it were run directly by the supplying application, using the privileges of that application.\n\nIf a `PendingIntent` is configured to be mutable, the fields of its internal `Intent` can be changed by the receiving application if they were not previously set. This means that a mutable `PendingIntent` that has not defined a destination component (that is, an implicit `PendingIntent`) can be altered to execute an arbitrary action with the privileges of the application that created it.\n\nA malicious application can access an implicit `PendingIntent` as follows:\n\n* It is wrapped and sent as an extra of another implicit `Intent`.\n* It is sent as the action of a `Slide`.\n* It is sent as the action of a `Notification`.\n\n\nOn gaining access, the attacker can modify the underlying `Intent` and execute an arbitrary action with elevated privileges. This could give the malicious application access to private components of the victim application, or the ability to perform actions without having the necessary permissions.\n\n\n## Recommendation\nAvoid creating implicit `PendingIntent`s. This means that the underlying `Intent` should always have an explicit destination component.\n\nWhen you add the `PendingIntent` as an extra of another `Intent`, make sure that this second `Intent` also has an explicit destination component, so that it is not delivered to untrusted applications.\n\nCreate the `PendingIntent` using the flag `FLAG_IMMUTABLE` whenever possible, to prevent the destination component from modifying empty fields of the underlying `Intent`.\n\n\n## Example\nIn the following examples, a `PendingIntent` is created and wrapped as an extra of another `Intent`.\n\nIn the first example, both the `PendingIntent` and the `Intent` it is wrapped in are implicit, making them vulnerable to attack.\n\nIn the second example, the issue is avoided by adding explicit destination components to the `PendingIntent` and the wrapping `Intent`.\n\nThe third example uses the `FLAG_IMMUTABLE` flag to prevent the underlying `Intent` from being modified by the destination component.\n\n\n```java\nimport android.app.Activity;\nimport android.app.PendingIntent;\nimport android.content.Intent;\nimport android.os.Bundle;\n\npublic class ImplicitPendingIntents extends Activity {\n\n\tpublic void onCreate(Bundle savedInstance) {\n\t\t{\n\t\t\t// BAD: an implicit Intent is used to create a PendingIntent.\n\t\t\t// The PendingIntent is then added to another implicit Intent\n\t\t\t// and started.\n\t\t\tIntent baseIntent = new Intent();\n\t\t\tPendingIntent pi =\n\t\t\t\t\tPendingIntent.getActivity(this, 0, baseIntent, PendingIntent.FLAG_ONE_SHOT);\n\t\t\tIntent fwdIntent = new Intent(\"SOME_ACTION\");\n\t\t\tfwdIntent.putExtra(\"fwdIntent\", pi);\n\t\t\tsendBroadcast(fwdIntent);\n\t\t}\n\n\t\t{\n\t\t\t// GOOD: both the PendingIntent and the wrapping Intent are explicit.\n\t\t\tIntent safeIntent = new Intent(this, AnotherActivity.class);\n\t\t\tPendingIntent pi =\n\t\t\t\t\tPendingIntent.getActivity(this, 0, safeIntent, PendingIntent.FLAG_ONE_SHOT);\n\t\t\tIntent fwdIntent = new Intent();\n\t\t\tfwdIntent.setClassName(\"destination.package\", \"DestinationClass\");\n\t\t\tfwdIntent.putExtra(\"fwdIntent\", pi);\n\t\t\tstartActivity(fwdIntent);\n\t\t}\n\n\t\t{\n\t\t\t// GOOD: The PendingIntent is created with FLAG_IMMUTABLE.\n\t\t\tIntent baseIntent = new Intent(\"SOME_ACTION\");\n\t\t\tPendingIntent pi =\n\t\t\t\t\tPendingIntent.getActivity(this, 0, baseIntent, PendingIntent.FLAG_IMMUTABLE);\n\t\t\tIntent fwdIntent = new Intent();\n\t\t\tfwdIntent.setClassName(\"destination.package\", \"DestinationClass\");\n\t\t\tfwdIntent.putExtra(\"fwdIntent\", pi);\n\t\t\tstartActivity(fwdIntent);\n\t\t}\n\t}\n}\n\n```\n\n## References\n* Google Help: [ Remediation for Implicit PendingIntent Vulnerability ](https://support.google.com/faqs/answer/10437428?hl=en)\n* University of Potsdam: [ PIAnalyzer: A precise approach for PendingIntent vulnerability analysis ](https://www.cs.uni-potsdam.de/se/papers/esorics18.pdf)\n* Common Weakness Enumeration: [CWE-927](https://cwe.mitre.org/data/definitions/927.html).\n" + }, + "properties": { + "tags": [ + "external/cwe/cwe-927", + "security" + ], + "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-927/ImplicitPendingIntents.ql", + "precision": "high", + "security-severity": "8.2" + } + }, + { + "id": "java/android/implicitly-exported-component", + "name": "java/android/implicitly-exported-component", + "shortDescription": { + "text": "Implicitly exported Android component" + }, + "fullDescription": { + "text": "Android components with an '' and no 'android:exported' attribute are implicitly exported, which can allow for improper access to the components themselves and to their data." + }, + "defaultConfiguration": {}, + "help": { + "text": "# Implicitly exported Android component\nThe Android manifest file defines configuration settings for Android applications. In this file, components can be declared with intent filters which specify what the components can do and what types of intents the components can respond to. If the `android:exported` attribute is omitted from the component when an intent filter is included, then the component will be implicitly exported.\n\nAn implicitly exported component could allow for improper access to the component and its data.\n\n\n## Recommendation\nExplicitly set the `android:exported` attribute for every component or use permissions to limit access to the component.\n\n\n## Example\nIn the example below, the `android:exported` attribute is omitted when an intent filter is used.\n\n\n```xml\n\n \n \n android:name=\".Activity\">\n \n \n \n \n \n\n\n```\nA corrected version sets the `android:exported` attribute to `false`.\n\n\n```xml\n\n \n \n android:name=\".Activity\">\n android:exported=\"false\"\n \n \n \n \n \n\n\n```\n\n## References\n* Android Developers: [App Manifest Overview](https://developer.android.com/guide/topics/manifest/manifest-intro).\n* Android Developers: [The <intent-filter> element](https://developer.android.com/guide/topics/manifest/intent-filter-element).\n* Android Developers: [The android:exported attribute](https://developer.android.com/guide/topics/manifest/activity-element#exported).\n* Android Developers: [The android:permission attribute](https://developer.android.com/guide/topics/manifest/activity-element#prmsn).\n* Android Developers: [Safer component exporting](https://developer.android.com/about/versions/12/behavior-changes-12#exported).\n* Common Weakness Enumeration: [CWE-926](https://cwe.mitre.org/data/definitions/926.html).\n", + "markdown": "# Implicitly exported Android component\nThe Android manifest file defines configuration settings for Android applications. In this file, components can be declared with intent filters which specify what the components can do and what types of intents the components can respond to. If the `android:exported` attribute is omitted from the component when an intent filter is included, then the component will be implicitly exported.\n\nAn implicitly exported component could allow for improper access to the component and its data.\n\n\n## Recommendation\nExplicitly set the `android:exported` attribute for every component or use permissions to limit access to the component.\n\n\n## Example\nIn the example below, the `android:exported` attribute is omitted when an intent filter is used.\n\n\n```xml\n\n \n \n android:name=\".Activity\">\n \n \n \n \n \n\n\n```\nA corrected version sets the `android:exported` attribute to `false`.\n\n\n```xml\n\n \n \n android:name=\".Activity\">\n android:exported=\"false\"\n \n \n \n \n \n\n\n```\n\n## References\n* Android Developers: [App Manifest Overview](https://developer.android.com/guide/topics/manifest/manifest-intro).\n* Android Developers: [The <intent-filter> element](https://developer.android.com/guide/topics/manifest/intent-filter-element).\n* Android Developers: [The android:exported attribute](https://developer.android.com/guide/topics/manifest/activity-element#exported).\n* Android Developers: [The android:permission attribute](https://developer.android.com/guide/topics/manifest/activity-element#prmsn).\n* Android Developers: [Safer component exporting](https://developer.android.com/about/versions/12/behavior-changes-12#exported).\n* Common Weakness Enumeration: [CWE-926](https://cwe.mitre.org/data/definitions/926.html).\n" + }, + "properties": { + "tags": [ + "external/cwe/cwe-926", + "security" + ], + "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-926/ImplicitlyExportedAndroidComponent.ql", + "precision": "high", + "security-severity": "8.2" + } + }, + { + "id": "java/android/insecure-local-authentication", + "name": "java/android/insecure-local-authentication", + "shortDescription": { + "text": "Insecure local authentication" + }, + "fullDescription": { + "text": "Local authentication that does not make use of a `CryptoObject` can be bypassed." + }, + "defaultConfiguration": {}, + "help": { + "text": "# Insecure local authentication\nBiometric local authentication such as fingerprint recognition can be used to protect sensitive data or actions within an application. However, if this authentication does not use a `KeyStore`-backed key, it can be bypassed by a privileged malicious application, or by an attacker with physical access using application hooking tools such as Frida.\n\n\n## Recommendation\nGenerate a secure key in the Android `KeyStore`. Ensure that the `onAuthenticationSuccess` callback for a biometric prompt uses it in a way that is required for the sensitive parts of the application to function, such as by using it to decrypt sensitive data or credentials.\n\n\n## Example\nIn the following (bad) case, no `CryptoObject` is required for the biometric prompt to grant access, so it can be bypassed.\n\n\n```java\nbiometricPrompt.authenticate(\n cancellationSignal,\n executor,\n new BiometricPrompt.AuthenticationCallback {\n @Override\n // BAD: This authentication callback does not make use of a `CryptoObject` from the `result`.\n public void onAuthenticationSucceeded(BiometricPrompt.AuthenticationResult result) {\n grantAccess()\n }\n }\n)\n```\nIn the following (good) case, a secret key is generated in the Android `KeyStore`. The application requires this secret key for access, using it to decrypt data.\n\n\n```java\nprivate void generateSecretKey() {\n KeyGenParameterSpec keyGenParameterSpec = new KeyGenParameterSpec.Builder(\n \"MySecretKey\",\n KeyProperties.PURPOSE_ENCRYPT | KeyProperties.PURPOSE_DECRYPT)\n .setBlockModes(KeyProperties.BLOCK_MODE_CBC)\n .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_PKCS7)\n .setUserAuthenticationRequired(true)\n .setInvalidatedByBiometricEnrollment(true)\n .build();\n KeyGenerator keyGenerator = KeyGenerator.getInstance(\n KeyProperties.KEY_ALGORITHM_AES, \"AndroidKeyStore\");\n keyGenerator.init(keyGenParameterSpec);\n keyGenerator.generateKey();\n}\n\n\nprivate SecretKey getSecretKey() {\n KeyStore keyStore = KeyStore.getInstance(\"AndroidKeyStore\");\n keyStore.load(null);\n return ((SecretKey)keyStore.getKey(\"MySecretKey\", null));\n}\n\nprivate Cipher getCipher() {\n return Cipher.getInstance(KeyProperties.KEY_ALGORITHM_AES + \"/\"\n + KeyProperties.BLOCK_MODE_CBC + \"/\"\n + KeyProperties.ENCRYPTION_PADDING_PKCS7);\n}\n\npublic prompt(byte[] encryptedData) {\n Cipher cipher = getCipher();\n SecretKey secretKey = getSecretKey();\n cipher.init(Cipher.DECRYPT_MODE, secretKey);\n\n biometricPrompt.authenticate(\n new BiometricPrompt.CryptoObject(cipher),\n cancellationSignal,\n executor,\n new BiometricPrompt.AuthenticationCallback() {\n @Override\n // GOOD: This authentication callback uses the result to decrypt some data.\n public void onAuthenticationSucceeded(BiometricPrompt.AuthenticationResult result) {\n Cipher cipher = result.getCryptoObject().getCipher();\n byte[] decryptedData = cipher.doFinal(encryptedData);\n grantAccessWithData(decryptedData);\n }\n }\n );\n}\n```\n\n## References\n* OWASP Mobile Application Security: [Android Local Authentication](https://mas.owasp.org/MASTG/Android/0x05f-Testing-Local-Authentication/)\n* OWASP Mobile Application Security: [Testing Biometric Authentication](https://mas.owasp.org/MASTG/tests/android/MASVS-AUTH/MASTG-TEST-0018/)\n* WithSecure: [How Secure is your Android Keystore Authentication?](https://labs.withsecure.com/publications/how-secure-is-your-android-keystore-authentication)\n* Android Developers: [Biometric Authentication](https://developer.android.com/training/sign-in/biometric-auth)\n* Common Weakness Enumeration: [CWE-287](https://cwe.mitre.org/data/definitions/287.html).\n", + "markdown": "# Insecure local authentication\nBiometric local authentication such as fingerprint recognition can be used to protect sensitive data or actions within an application. However, if this authentication does not use a `KeyStore`-backed key, it can be bypassed by a privileged malicious application, or by an attacker with physical access using application hooking tools such as Frida.\n\n\n## Recommendation\nGenerate a secure key in the Android `KeyStore`. Ensure that the `onAuthenticationSuccess` callback for a biometric prompt uses it in a way that is required for the sensitive parts of the application to function, such as by using it to decrypt sensitive data or credentials.\n\n\n## Example\nIn the following (bad) case, no `CryptoObject` is required for the biometric prompt to grant access, so it can be bypassed.\n\n\n```java\nbiometricPrompt.authenticate(\n cancellationSignal,\n executor,\n new BiometricPrompt.AuthenticationCallback {\n @Override\n // BAD: This authentication callback does not make use of a `CryptoObject` from the `result`.\n public void onAuthenticationSucceeded(BiometricPrompt.AuthenticationResult result) {\n grantAccess()\n }\n }\n)\n```\nIn the following (good) case, a secret key is generated in the Android `KeyStore`. The application requires this secret key for access, using it to decrypt data.\n\n\n```java\nprivate void generateSecretKey() {\n KeyGenParameterSpec keyGenParameterSpec = new KeyGenParameterSpec.Builder(\n \"MySecretKey\",\n KeyProperties.PURPOSE_ENCRYPT | KeyProperties.PURPOSE_DECRYPT)\n .setBlockModes(KeyProperties.BLOCK_MODE_CBC)\n .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_PKCS7)\n .setUserAuthenticationRequired(true)\n .setInvalidatedByBiometricEnrollment(true)\n .build();\n KeyGenerator keyGenerator = KeyGenerator.getInstance(\n KeyProperties.KEY_ALGORITHM_AES, \"AndroidKeyStore\");\n keyGenerator.init(keyGenParameterSpec);\n keyGenerator.generateKey();\n}\n\n\nprivate SecretKey getSecretKey() {\n KeyStore keyStore = KeyStore.getInstance(\"AndroidKeyStore\");\n keyStore.load(null);\n return ((SecretKey)keyStore.getKey(\"MySecretKey\", null));\n}\n\nprivate Cipher getCipher() {\n return Cipher.getInstance(KeyProperties.KEY_ALGORITHM_AES + \"/\"\n + KeyProperties.BLOCK_MODE_CBC + \"/\"\n + KeyProperties.ENCRYPTION_PADDING_PKCS7);\n}\n\npublic prompt(byte[] encryptedData) {\n Cipher cipher = getCipher();\n SecretKey secretKey = getSecretKey();\n cipher.init(Cipher.DECRYPT_MODE, secretKey);\n\n biometricPrompt.authenticate(\n new BiometricPrompt.CryptoObject(cipher),\n cancellationSignal,\n executor,\n new BiometricPrompt.AuthenticationCallback() {\n @Override\n // GOOD: This authentication callback uses the result to decrypt some data.\n public void onAuthenticationSucceeded(BiometricPrompt.AuthenticationResult result) {\n Cipher cipher = result.getCryptoObject().getCipher();\n byte[] decryptedData = cipher.doFinal(encryptedData);\n grantAccessWithData(decryptedData);\n }\n }\n );\n}\n```\n\n## References\n* OWASP Mobile Application Security: [Android Local Authentication](https://mas.owasp.org/MASTG/Android/0x05f-Testing-Local-Authentication/)\n* OWASP Mobile Application Security: [Testing Biometric Authentication](https://mas.owasp.org/MASTG/tests/android/MASVS-AUTH/MASTG-TEST-0018/)\n* WithSecure: [How Secure is your Android Keystore Authentication?](https://labs.withsecure.com/publications/how-secure-is-your-android-keystore-authentication)\n* Android Developers: [Biometric Authentication](https://developer.android.com/training/sign-in/biometric-auth)\n* Common Weakness Enumeration: [CWE-287](https://cwe.mitre.org/data/definitions/287.html).\n" + }, + "properties": { + "tags": [ + "external/cwe/cwe-287", + "security" + ], + "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-287/AndroidInsecureLocalAuthentication.ql", + "precision": "high", + "security-severity": "4.4" + } + }, + { + "id": "java/android/intent-redirection", + "name": "java/android/intent-redirection", + "shortDescription": { + "text": "Android Intent redirection" + }, + "fullDescription": { + "text": "Starting Android components with user-provided Intents can provide access to internal components of the application, increasing the attack surface and potentially causing unintended effects." + }, + "defaultConfiguration": { + "level": "error" + }, + "help": { + "text": "# Android Intent redirection\nAn exported Android component that obtains a user-provided Intent and uses it to launch another component can be exploited to obtain access to private, unexported components of the same app or to launch other apps' components on behalf of the victim app.\n\n\n## Recommendation\nDo not export components that start other components from a user-provided Intent. They can be made private by setting the `android:exported` property to `false` in the app's Android Manifest.\n\nIf this is not possible, restrict either which apps can send Intents to the affected component, or which components can be started from it.\n\n\n## Example\nThe following snippet contains three examples. In the first example, an arbitrary component can be started from the externally provided `forward_intent` Intent. In the second example, the destination component of the Intent is first checked to make sure it is safe. In the third example, the component that created the Intent is first checked to make sure it comes from a trusted origin.\n\n\n```java\n// BAD: A user-provided Intent is used to launch an arbitrary component\nIntent forwardIntent = (Intent) getIntent().getParcelableExtra(\"forward_intent\");\nstartActivity(forwardIntent);\n\n// GOOD: The destination component is checked before launching it\nIntent forwardIntent = (Intent) getIntent().getParcelableExtra(\"forward_intent\");\nComponentName destinationComponent = forwardIntent.resolveActivity(getPackageManager());\nif (destinationComponent.getPackageName().equals(\"safe.package\") && \n destinationComponent.getClassName().equals(\"SafeClass\")) {\n startActivity(forwardIntent);\n}\n\n// GOOD: The component that sent the Intent is checked before launching the destination component\nIntent forwardIntent = (Intent) getIntent().getParcelableExtra(\"forward_intent\");\nComponentName originComponent = getCallingActivity();\nif (originComponent.getPackageName().equals(\"trusted.package\") && originComponent.getClassName().equals(\"TrustedClass\")) {\n startActivity(forwardIntent);\n}\n\n```\n\n## References\n* Google: [Remediation for Intent Redirection Vulnerability](https://support.google.com/faqs/answer/9267555?hl=en).\n* OWASP Mobile Security Testing Guide: [Intents](https://mobile-security.gitbook.io/mobile-security-testing-guide/android-testing-guide/0x05a-platform-overview#intents).\n* Android Developers: [The android:exported attribute](https://developer.android.com/guide/topics/manifest/activity-element#exported).\n* Common Weakness Enumeration: [CWE-926](https://cwe.mitre.org/data/definitions/926.html).\n* Common Weakness Enumeration: [CWE-940](https://cwe.mitre.org/data/definitions/940.html).\n", + "markdown": "# Android Intent redirection\nAn exported Android component that obtains a user-provided Intent and uses it to launch another component can be exploited to obtain access to private, unexported components of the same app or to launch other apps' components on behalf of the victim app.\n\n\n## Recommendation\nDo not export components that start other components from a user-provided Intent. They can be made private by setting the `android:exported` property to `false` in the app's Android Manifest.\n\nIf this is not possible, restrict either which apps can send Intents to the affected component, or which components can be started from it.\n\n\n## Example\nThe following snippet contains three examples. In the first example, an arbitrary component can be started from the externally provided `forward_intent` Intent. In the second example, the destination component of the Intent is first checked to make sure it is safe. In the third example, the component that created the Intent is first checked to make sure it comes from a trusted origin.\n\n\n```java\n// BAD: A user-provided Intent is used to launch an arbitrary component\nIntent forwardIntent = (Intent) getIntent().getParcelableExtra(\"forward_intent\");\nstartActivity(forwardIntent);\n\n// GOOD: The destination component is checked before launching it\nIntent forwardIntent = (Intent) getIntent().getParcelableExtra(\"forward_intent\");\nComponentName destinationComponent = forwardIntent.resolveActivity(getPackageManager());\nif (destinationComponent.getPackageName().equals(\"safe.package\") && \n destinationComponent.getClassName().equals(\"SafeClass\")) {\n startActivity(forwardIntent);\n}\n\n// GOOD: The component that sent the Intent is checked before launching the destination component\nIntent forwardIntent = (Intent) getIntent().getParcelableExtra(\"forward_intent\");\nComponentName originComponent = getCallingActivity();\nif (originComponent.getPackageName().equals(\"trusted.package\") && originComponent.getClassName().equals(\"TrustedClass\")) {\n startActivity(forwardIntent);\n}\n\n```\n\n## References\n* Google: [Remediation for Intent Redirection Vulnerability](https://support.google.com/faqs/answer/9267555?hl=en).\n* OWASP Mobile Security Testing Guide: [Intents](https://mobile-security.gitbook.io/mobile-security-testing-guide/android-testing-guide/0x05a-platform-overview#intents).\n* Android Developers: [The android:exported attribute](https://developer.android.com/guide/topics/manifest/activity-element#exported).\n* Common Weakness Enumeration: [CWE-926](https://cwe.mitre.org/data/definitions/926.html).\n* Common Weakness Enumeration: [CWE-940](https://cwe.mitre.org/data/definitions/940.html).\n" + }, + "properties": { + "tags": [ + "external/cwe/cwe-926", + "external/cwe/cwe-940", + "security" + ], + "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-940/AndroidIntentRedirection.ql", + "precision": "high", + "security-severity": "7.5" + } + }, + { + "id": "java/android/intent-uri-permission-manipulation", + "name": "java/android/intent-uri-permission-manipulation", + "shortDescription": { + "text": "Intent URI permission manipulation" + }, + "fullDescription": { + "text": "Returning an externally provided Intent via 'setResult' may allow a malicious application to access arbitrary content providers of the vulnerable application." + }, + "defaultConfiguration": { + "level": "error" + }, + "help": { + "text": "# Intent URI permission manipulation\nWhen an Android component expects a result from an Activity, `startActivityForResult` can be used. The started Activity can then use `setResult` to return the appropriate data to the calling component.\n\nIf an Activity obtains the incoming, user-provided Intent and directly returns it via `setResult` without any checks, the application may be unintentionally giving arbitrary access to its content providers, even if they are not exported, as long as they are configured with the attribute `android:grantUriPermissions=\"true\"`. This happens because the attacker adds the appropriate URI permission flags to the provided Intent, which take effect once the Intent is reflected back.\n\n\n## Recommendation\nAvoid returning user-provided or untrusted Intents via `setResult`. Use a new Intent instead.\n\nIf it is required to use the received Intent, make sure that it does not contain URI permission flags, either by checking them with `Intent.getFlags` or removing them with `Intent.removeFlags`.\n\n\n## Example\nThe following sample contains three examples. In the first example, a user-provided Intent is obtained and directly returned back with `setResult`, which is dangerous. In the second example, a new Intent is created to safely return the desired data. The third example shows how the obtained Intent can be sanitized by removing dangerous flags before using it to return data to the calling component.\n\n\n```java\npublic class IntentUriPermissionManipulation extends Activity {\n\n // BAD: the user-provided Intent is returned as-is\n public void dangerous() {\n Intent intent = getIntent();\n intent.putExtra(\"result\", \"resultData\");\n setResult(intent);\n }\n\n // GOOD: a new Intent is created and returned\n public void safe() {\n Intent intent = new Intent();\n intent.putExtra(\"result\", \"resultData\");\n setResult(intent);\n }\n\n // GOOD: the user-provided Intent is sanitized before being returned\n public void sanitized() {\n Intent intent = getIntent();\n intent.putExtra(\"result\", \"resultData\");\n intent.removeFlags(\n Intent.FLAG_GRANT_WRITE_URI_PERMISSION | Intent.FLAG_GRANT_READ_URI_PERMISSION);\n setResult(intent);\n }\n}\n\n```\n\n## References\n* Google Help: [Remediation for Intent Redirection Vulnerability](https://support.google.com/faqs/answer/9267555?hl=en).\n* Common Weakness Enumeration: [CWE-266](https://cwe.mitre.org/data/definitions/266.html).\n* Common Weakness Enumeration: [CWE-926](https://cwe.mitre.org/data/definitions/926.html).\n", + "markdown": "# Intent URI permission manipulation\nWhen an Android component expects a result from an Activity, `startActivityForResult` can be used. The started Activity can then use `setResult` to return the appropriate data to the calling component.\n\nIf an Activity obtains the incoming, user-provided Intent and directly returns it via `setResult` without any checks, the application may be unintentionally giving arbitrary access to its content providers, even if they are not exported, as long as they are configured with the attribute `android:grantUriPermissions=\"true\"`. This happens because the attacker adds the appropriate URI permission flags to the provided Intent, which take effect once the Intent is reflected back.\n\n\n## Recommendation\nAvoid returning user-provided or untrusted Intents via `setResult`. Use a new Intent instead.\n\nIf it is required to use the received Intent, make sure that it does not contain URI permission flags, either by checking them with `Intent.getFlags` or removing them with `Intent.removeFlags`.\n\n\n## Example\nThe following sample contains three examples. In the first example, a user-provided Intent is obtained and directly returned back with `setResult`, which is dangerous. In the second example, a new Intent is created to safely return the desired data. The third example shows how the obtained Intent can be sanitized by removing dangerous flags before using it to return data to the calling component.\n\n\n```java\npublic class IntentUriPermissionManipulation extends Activity {\n\n // BAD: the user-provided Intent is returned as-is\n public void dangerous() {\n Intent intent = getIntent();\n intent.putExtra(\"result\", \"resultData\");\n setResult(intent);\n }\n\n // GOOD: a new Intent is created and returned\n public void safe() {\n Intent intent = new Intent();\n intent.putExtra(\"result\", \"resultData\");\n setResult(intent);\n }\n\n // GOOD: the user-provided Intent is sanitized before being returned\n public void sanitized() {\n Intent intent = getIntent();\n intent.putExtra(\"result\", \"resultData\");\n intent.removeFlags(\n Intent.FLAG_GRANT_WRITE_URI_PERMISSION | Intent.FLAG_GRANT_READ_URI_PERMISSION);\n setResult(intent);\n }\n}\n\n```\n\n## References\n* Google Help: [Remediation for Intent Redirection Vulnerability](https://support.google.com/faqs/answer/9267555?hl=en).\n* Common Weakness Enumeration: [CWE-266](https://cwe.mitre.org/data/definitions/266.html).\n* Common Weakness Enumeration: [CWE-926](https://cwe.mitre.org/data/definitions/926.html).\n" + }, + "properties": { + "tags": [ + "external/cwe/cwe-266", + "external/cwe/cwe-926", + "security" + ], + "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-266/IntentUriPermissionManipulation.ql", + "precision": "high", + "security-severity": "7.8" + } + }, + { + "id": "java/android/unsafe-content-uri-resolution", + "name": "java/android/unsafe-content-uri-resolution", + "shortDescription": { + "text": "Uncontrolled data used in content resolution" + }, + "fullDescription": { + "text": "Resolving externally-provided content URIs without validation can allow an attacker to access unexpected resources." + }, + "defaultConfiguration": {}, + "help": { + "text": "# Uncontrolled data used in content resolution\nWhen an Android application wants to access data in a content provider, it uses the `ContentResolver` object. `ContentResolver`s communicate with an instance of a class that implements the `ContentProvider` interface via URIs with the `content://` scheme. The authority part (the first path segment) of the URI, passed as parameter to the `ContentResolver`, determines which content provider is contacted for the operation. Specific operations that act on files also support the `file://` scheme, in which case the local filesystem is queried instead. If an external component, like a malicious or compromised application, controls the URI for a `ContentResolver` operation, it can trick the vulnerable application into accessing its own private files or non-exported content providers. The attacking application might be able to get access to the file by forcing it to be copied to a public directory, like external storage, or tamper with the contents by making the application overwrite the file with unexpected data.\n\n\n## Recommendation\nIf possible, avoid using externally-provided data to determine the URI for a `ContentResolver` to use. If that is not an option, validate that the incoming URI can only reference trusted components, like an allow list of content providers and/or applications, or alternatively make sure that the URI does not reference private directories like `/data/`.\n\n\n## Example\nThis example shows three ways of opening a file using a `ContentResolver`. In the first case, externally-provided data from an intent is used directly in the file-reading operation. This allows an attacker to provide a URI of the form `/data/data/(vulnerable app package)/(private file)` to trick the application into reading it and copying it to the external storage. In the second case, an insufficient check is performed on the externally-provided URI, still leaving room for exploitation. In the third case, the URI is correctly validated before being used, making sure it does not reference any internal application files.\n\n\n```java\nimport android.content.ContentResolver;\nimport android.net.Uri;\n\npublic class Example extends Activity {\n public void onCreate() {\n // BAD: Externally-provided URI directly used in content resolution\n {\n ContentResolver contentResolver = getContentResolver();\n Uri uri = (Uri) getIntent().getParcelableExtra(\"URI_EXTRA\");\n InputStream is = contentResolver.openInputStream(uri);\n copyToExternalCache(is);\n }\n // BAD: input URI is not normalized, and check can be bypassed with \"..\" characters\n {\n ContentResolver contentResolver = getContentResolver();\n Uri uri = (Uri) getIntent().getParcelableExtra(\"URI_EXTRA\");\n String path = uri.getPath();\n if (path.startsWith(\"/data\"))\n throw new SecurityException();\n InputStream is = contentResolver.openInputStream(uri);\n copyToExternalCache(is);\n }\n // GOOD: URI is properly validated to block access to internal files\n {\n ContentResolver contentResolver = getContentResolver();\n Uri uri = (Uri) getIntent().getParcelableExtra(\"URI_EXTRA\");\n String path = uri.getPath();\n java.nio.file.Path normalized =\n java.nio.file.FileSystems.getDefault().getPath(path).normalize();\n if (normalized.startsWith(\"/data\"))\n throw new SecurityException();\n InputStream is = contentResolver.openInputStream(uri);\n copyToExternalCache(is);\n }\n }\n\n private void copyToExternalCache(InputStream is) {\n // Reads the contents of is and writes a file in the app's external\n // cache directory, which can be read publicly by applications in the same device.\n }\n}\n\n```\n\n## References\n* Android developers: [Content provider basics](https://developer.android.com/guide/topics/providers/content-provider-basics)\n* [The ContentResolver class](https://developer.android.com/reference/android/content/ContentResolver)\n* Common Weakness Enumeration: [CWE-441](https://cwe.mitre.org/data/definitions/441.html).\n* Common Weakness Enumeration: [CWE-610](https://cwe.mitre.org/data/definitions/610.html).\n", + "markdown": "# Uncontrolled data used in content resolution\nWhen an Android application wants to access data in a content provider, it uses the `ContentResolver` object. `ContentResolver`s communicate with an instance of a class that implements the `ContentProvider` interface via URIs with the `content://` scheme. The authority part (the first path segment) of the URI, passed as parameter to the `ContentResolver`, determines which content provider is contacted for the operation. Specific operations that act on files also support the `file://` scheme, in which case the local filesystem is queried instead. If an external component, like a malicious or compromised application, controls the URI for a `ContentResolver` operation, it can trick the vulnerable application into accessing its own private files or non-exported content providers. The attacking application might be able to get access to the file by forcing it to be copied to a public directory, like external storage, or tamper with the contents by making the application overwrite the file with unexpected data.\n\n\n## Recommendation\nIf possible, avoid using externally-provided data to determine the URI for a `ContentResolver` to use. If that is not an option, validate that the incoming URI can only reference trusted components, like an allow list of content providers and/or applications, or alternatively make sure that the URI does not reference private directories like `/data/`.\n\n\n## Example\nThis example shows three ways of opening a file using a `ContentResolver`. In the first case, externally-provided data from an intent is used directly in the file-reading operation. This allows an attacker to provide a URI of the form `/data/data/(vulnerable app package)/(private file)` to trick the application into reading it and copying it to the external storage. In the second case, an insufficient check is performed on the externally-provided URI, still leaving room for exploitation. In the third case, the URI is correctly validated before being used, making sure it does not reference any internal application files.\n\n\n```java\nimport android.content.ContentResolver;\nimport android.net.Uri;\n\npublic class Example extends Activity {\n public void onCreate() {\n // BAD: Externally-provided URI directly used in content resolution\n {\n ContentResolver contentResolver = getContentResolver();\n Uri uri = (Uri) getIntent().getParcelableExtra(\"URI_EXTRA\");\n InputStream is = contentResolver.openInputStream(uri);\n copyToExternalCache(is);\n }\n // BAD: input URI is not normalized, and check can be bypassed with \"..\" characters\n {\n ContentResolver contentResolver = getContentResolver();\n Uri uri = (Uri) getIntent().getParcelableExtra(\"URI_EXTRA\");\n String path = uri.getPath();\n if (path.startsWith(\"/data\"))\n throw new SecurityException();\n InputStream is = contentResolver.openInputStream(uri);\n copyToExternalCache(is);\n }\n // GOOD: URI is properly validated to block access to internal files\n {\n ContentResolver contentResolver = getContentResolver();\n Uri uri = (Uri) getIntent().getParcelableExtra(\"URI_EXTRA\");\n String path = uri.getPath();\n java.nio.file.Path normalized =\n java.nio.file.FileSystems.getDefault().getPath(path).normalize();\n if (normalized.startsWith(\"/data\"))\n throw new SecurityException();\n InputStream is = contentResolver.openInputStream(uri);\n copyToExternalCache(is);\n }\n }\n\n private void copyToExternalCache(InputStream is) {\n // Reads the contents of is and writes a file in the app's external\n // cache directory, which can be read publicly by applications in the same device.\n }\n}\n\n```\n\n## References\n* Android developers: [Content provider basics](https://developer.android.com/guide/topics/providers/content-provider-basics)\n* [The ContentResolver class](https://developer.android.com/reference/android/content/ContentResolver)\n* Common Weakness Enumeration: [CWE-441](https://cwe.mitre.org/data/definitions/441.html).\n* Common Weakness Enumeration: [CWE-610](https://cwe.mitre.org/data/definitions/610.html).\n" + }, + "properties": { + "tags": [ + "external/cwe/cwe-441", + "external/cwe/cwe-610", + "security" + ], + "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-441/UnsafeContentUriResolution.ql", + "precision": "high", + "security-severity": "7.5" + } + }, + { + "id": "java/android/webview-debugging-enabled", + "name": "java/android/webview-debugging-enabled", + "shortDescription": { + "text": "Android Webview debugging enabled" + }, + "fullDescription": { + "text": "Enabling Webview debugging in production builds can expose entry points or leak sensitive information." + }, + "defaultConfiguration": {}, + "help": { + "text": "# Android Webview debugging enabled\nThe `WebView.setWebContentsDebuggingEnabled` method enables or disables the contents of any `WebView` in the application to be debugged.\n\nYou should only enable debugging features during development. When you create a production build, you should disable it. If you enable debugging features, this can make your code vulnerable by adding entry points, or leaking sensitive information.\n\n\n## Recommendation\nEnsure that debugging features are not enabled in production builds, such as by guarding calls to `WebView.setWebContentsDebuggingEnabled(true)` by a flag that is only enabled in debug builds.\n\n\n## Example\nIn the first (bad) example, WebView debugging is always enabled. whereas the GOOD case only enables it if the `android:debuggable` attribute is set to `true`.\n\n\n```java\n// BAD - debugging is always enabled \nWebView.setWebContentsDebuggingEnabled(true);\n\n// GOOD - debugging is only enabled when this is a debug build, as indicated by the debuggable flag being set.\nif (0 != (getApplicationInfo().flags & ApplicationInfo.FLAG_DEBUGGABLE)) {\n WebView.setWebContentsDebuggingEnabled(true);\n}\n```\n\n## References\n* Android Developers: [setWebContentsDebuggingEnabled](https://developer.android.com/reference/android/webkit/WebView.html#setWebContentsDebuggingEnabled(boolean)).\n* Android Developers: [Remote debugging WebViews](https://developer.chrome.com/docs/devtools/remote-debugging/webviews/).\n* Common Weakness Enumeration: [CWE-489](https://cwe.mitre.org/data/definitions/489.html).\n", + "markdown": "# Android Webview debugging enabled\nThe `WebView.setWebContentsDebuggingEnabled` method enables or disables the contents of any `WebView` in the application to be debugged.\n\nYou should only enable debugging features during development. When you create a production build, you should disable it. If you enable debugging features, this can make your code vulnerable by adding entry points, or leaking sensitive information.\n\n\n## Recommendation\nEnsure that debugging features are not enabled in production builds, such as by guarding calls to `WebView.setWebContentsDebuggingEnabled(true)` by a flag that is only enabled in debug builds.\n\n\n## Example\nIn the first (bad) example, WebView debugging is always enabled. whereas the GOOD case only enables it if the `android:debuggable` attribute is set to `true`.\n\n\n```java\n// BAD - debugging is always enabled \nWebView.setWebContentsDebuggingEnabled(true);\n\n// GOOD - debugging is only enabled when this is a debug build, as indicated by the debuggable flag being set.\nif (0 != (getApplicationInfo().flags & ApplicationInfo.FLAG_DEBUGGABLE)) {\n WebView.setWebContentsDebuggingEnabled(true);\n}\n```\n\n## References\n* Android Developers: [setWebContentsDebuggingEnabled](https://developer.android.com/reference/android/webkit/WebView.html#setWebContentsDebuggingEnabled(boolean)).\n* Android Developers: [Remote debugging WebViews](https://developer.chrome.com/docs/devtools/remote-debugging/webviews/).\n* Common Weakness Enumeration: [CWE-489](https://cwe.mitre.org/data/definitions/489.html).\n" + }, + "properties": { + "tags": [ + "external/cwe/cwe-489", + "security" + ], + "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-489/WebviewDebuggingEnabled.ql", + "precision": "high", + "security-severity": "7.2" + } + }, + { + "id": "java/cleartext-storage-in-cookie", + "name": "java/cleartext-storage-in-cookie", + "shortDescription": { + "text": "Cleartext storage of sensitive information in cookie" + }, + "fullDescription": { + "text": "Storing sensitive information in cleartext can expose it to an attacker." + }, + "defaultConfiguration": { + "level": "error" + }, + "help": { + "text": "# Cleartext storage of sensitive information in cookie\nSensitive information that is stored unencrypted is accessible to an attacker who gains access to the storage.\n\n\n## Recommendation\nEnsure that sensitive information is always encrypted before being stored. It may be wise to encrypt information before it is put into a heap data structure (such as `Java.util.Properties`) that may be written to disk later. Objects that are serializable or marshallable should also always contain encrypted information unless you are certain that they are not ever going to be serialized.\n\nIn general, decrypt sensitive information only at the point where it is necessary for it to be used in cleartext.\n\n\n## Example\nThe following example shows two ways of storing user credentials in a cookie. In the 'BAD' case, the credentials are simply stored in cleartext. In the 'GOOD' case, the credentials are hashed before storing them.\n\n\n```java\npublic static void main(String[] args) {\n\t{\n\t\tString data;\n\t\tPasswordAuthentication credentials =\n\t\t\t\tnew PasswordAuthentication(\"user\", \"BP@ssw0rd\".toCharArray());\n\t\tdata = credentials.getUserName() + \":\" + new String(credentials.getPassword());\n\t\n\t\t// BAD: store data in a cookie in cleartext form\n\t\tresponse.addCookie(new Cookie(\"auth\", data));\n\t}\n\t\n\t{\n\t\tString data;\n\t\tPasswordAuthentication credentials =\n\t\t\t\tnew PasswordAuthentication(\"user\", \"GP@ssw0rd\".toCharArray());\n\t\tString salt = \"ThisIsMySalt\";\n\t\tMessageDigest messageDigest = MessageDigest.getInstance(\"SHA-512\");\n\t\tmessageDigest.reset();\n\t\tString credentialsToHash =\n\t\t\t\tcredentials.getUserName() + \":\" + credentials.getPassword();\n\t\tbyte[] hashedCredsAsBytes =\n\t\t\t\tmessageDigest.digest((salt+credentialsToHash).getBytes(\"UTF-8\"));\n\t\tdata = bytesToString(hashedCredsAsBytes);\n\t\t\n\t\t// GOOD: store data in a cookie in encrypted form\n\t\tresponse.addCookie(new Cookie(\"auth\", data));\n\t}\n}\n\n```\n\n## References\n* SEI CERT Oracle Coding Standard for Java: [SER03-J. Do not serialize unencrypted, sensitive data](https://wiki.sei.cmu.edu/confluence/display/java/SER03-J.+Do+not+serialize+unencrypted+sensitive+data).\n* M. Dowd, J. McDonald and J. Schuhm, *The Art of Software Security Assessment*, 1st Edition, Chapter 2 - 'Common Vulnerabilities of Encryption', p. 43. Addison Wesley, 2006.\n* M. Howard and D. LeBlanc, *Writing Secure Code*, 2nd Edition, Chapter 9 - 'Protecting Secret Data', p. 299. Microsoft, 2002.\n* Common Weakness Enumeration: [CWE-315](https://cwe.mitre.org/data/definitions/315.html).\n", + "markdown": "# Cleartext storage of sensitive information in cookie\nSensitive information that is stored unencrypted is accessible to an attacker who gains access to the storage.\n\n\n## Recommendation\nEnsure that sensitive information is always encrypted before being stored. It may be wise to encrypt information before it is put into a heap data structure (such as `Java.util.Properties`) that may be written to disk later. Objects that are serializable or marshallable should also always contain encrypted information unless you are certain that they are not ever going to be serialized.\n\nIn general, decrypt sensitive information only at the point where it is necessary for it to be used in cleartext.\n\n\n## Example\nThe following example shows two ways of storing user credentials in a cookie. In the 'BAD' case, the credentials are simply stored in cleartext. In the 'GOOD' case, the credentials are hashed before storing them.\n\n\n```java\npublic static void main(String[] args) {\n\t{\n\t\tString data;\n\t\tPasswordAuthentication credentials =\n\t\t\t\tnew PasswordAuthentication(\"user\", \"BP@ssw0rd\".toCharArray());\n\t\tdata = credentials.getUserName() + \":\" + new String(credentials.getPassword());\n\t\n\t\t// BAD: store data in a cookie in cleartext form\n\t\tresponse.addCookie(new Cookie(\"auth\", data));\n\t}\n\t\n\t{\n\t\tString data;\n\t\tPasswordAuthentication credentials =\n\t\t\t\tnew PasswordAuthentication(\"user\", \"GP@ssw0rd\".toCharArray());\n\t\tString salt = \"ThisIsMySalt\";\n\t\tMessageDigest messageDigest = MessageDigest.getInstance(\"SHA-512\");\n\t\tmessageDigest.reset();\n\t\tString credentialsToHash =\n\t\t\t\tcredentials.getUserName() + \":\" + credentials.getPassword();\n\t\tbyte[] hashedCredsAsBytes =\n\t\t\t\tmessageDigest.digest((salt+credentialsToHash).getBytes(\"UTF-8\"));\n\t\tdata = bytesToString(hashedCredsAsBytes);\n\t\t\n\t\t// GOOD: store data in a cookie in encrypted form\n\t\tresponse.addCookie(new Cookie(\"auth\", data));\n\t}\n}\n\n```\n\n## References\n* SEI CERT Oracle Coding Standard for Java: [SER03-J. Do not serialize unencrypted, sensitive data](https://wiki.sei.cmu.edu/confluence/display/java/SER03-J.+Do+not+serialize+unencrypted+sensitive+data).\n* M. Dowd, J. McDonald and J. Schuhm, *The Art of Software Security Assessment*, 1st Edition, Chapter 2 - 'Common Vulnerabilities of Encryption', p. 43. Addison Wesley, 2006.\n* M. Howard and D. LeBlanc, *Writing Secure Code*, 2nd Edition, Chapter 9 - 'Protecting Secret Data', p. 299. Microsoft, 2002.\n* Common Weakness Enumeration: [CWE-315](https://cwe.mitre.org/data/definitions/315.html).\n" + }, + "properties": { + "tags": [ + "external/cwe/cwe-315", + "security" + ], + "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-312/CleartextStorageCookie.ql", + "precision": "high", + "security-severity": "5" + } + }, + { + "id": "java/command-line-injection", + "name": "java/command-line-injection", + "shortDescription": { + "text": "Uncontrolled command line" + }, + "fullDescription": { + "text": "Using externally controlled strings in a command line is vulnerable to malicious changes in the strings." + }, + "defaultConfiguration": { + "level": "error" + }, + "help": { + "text": "# Uncontrolled command line\nCode that passes user input directly to `Runtime.exec`, or some other library routine that executes a command, allows the user to execute malicious code.\n\n\n## Recommendation\nIf possible, use hard-coded string literals to specify the command to run or library to load. Instead of passing the user input directly to the process or library function, examine the user input and then choose among hard-coded string literals.\n\nIf the applicable libraries or commands cannot be determined at compile time, then add code to verify that the user input string is safe before using it.\n\n\n## Example\nThe following example shows code that takes a shell script that can be changed maliciously by a user, and passes it straight to `Runtime.exec` without examining it first.\n\n\n```java\nclass Test {\n public static void main(String[] args) {\n String script = System.getenv(\"SCRIPTNAME\");\n if (script != null) {\n // BAD: The script to be executed is controlled by the user.\n Runtime.getRuntime().exec(script);\n }\n }\n}\n```\n\n## References\n* OWASP: [Command Injection](https://www.owasp.org/index.php/Command_Injection).\n* SEI CERT Oracle Coding Standard for Java: [IDS07-J. Sanitize untrusted data passed to the Runtime.exec() method](https://wiki.sei.cmu.edu/confluence/display/java/IDS07-J.+Sanitize+untrusted+data+passed+to+the+Runtime.exec()+method).\n* Common Weakness Enumeration: [CWE-78](https://cwe.mitre.org/data/definitions/78.html).\n* Common Weakness Enumeration: [CWE-88](https://cwe.mitre.org/data/definitions/88.html).\n", + "markdown": "# Uncontrolled command line\nCode that passes user input directly to `Runtime.exec`, or some other library routine that executes a command, allows the user to execute malicious code.\n\n\n## Recommendation\nIf possible, use hard-coded string literals to specify the command to run or library to load. Instead of passing the user input directly to the process or library function, examine the user input and then choose among hard-coded string literals.\n\nIf the applicable libraries or commands cannot be determined at compile time, then add code to verify that the user input string is safe before using it.\n\n\n## Example\nThe following example shows code that takes a shell script that can be changed maliciously by a user, and passes it straight to `Runtime.exec` without examining it first.\n\n\n```java\nclass Test {\n public static void main(String[] args) {\n String script = System.getenv(\"SCRIPTNAME\");\n if (script != null) {\n // BAD: The script to be executed is controlled by the user.\n Runtime.getRuntime().exec(script);\n }\n }\n}\n```\n\n## References\n* OWASP: [Command Injection](https://www.owasp.org/index.php/Command_Injection).\n* SEI CERT Oracle Coding Standard for Java: [IDS07-J. Sanitize untrusted data passed to the Runtime.exec() method](https://wiki.sei.cmu.edu/confluence/display/java/IDS07-J.+Sanitize+untrusted+data+passed+to+the+Runtime.exec()+method).\n* Common Weakness Enumeration: [CWE-78](https://cwe.mitre.org/data/definitions/78.html).\n* Common Weakness Enumeration: [CWE-88](https://cwe.mitre.org/data/definitions/88.html).\n" + }, + "properties": { + "tags": [ + "external/cwe/cwe-078", + "external/cwe/cwe-088", + "security" + ], + "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-078/ExecTainted.ql", + "precision": "high", + "security-severity": "9.8" + } + }, + { + "id": "java/concatenated-command-line", + "name": "java/concatenated-command-line", + "shortDescription": { + "text": "Building a command line with string concatenation" + }, + "fullDescription": { + "text": "Using concatenated strings in a command line is vulnerable to malicious insertion of special characters in the strings." + }, + "defaultConfiguration": { + "level": "error" + }, + "help": { + "text": "# Building a command line with string concatenation\nCode that builds a command line by concatenating strings that have been entered by a user allows the user to execute malicious code.\n\n\n## Recommendation\nExecute external commands using an array of strings rather than a single string. By using an array, many possible vulnerabilities in the formatting of the string are avoided.\n\n\n## Example\nIn the following example, `latlonCoords` contains a string that has been entered by a user but not validated by the program. This allows the user to, for example, append an ampersand (&) followed by the command for a malicious program to the end of the string. The ampersand instructs Windows to execute another program. In the block marked 'BAD', `latlonCoords` is passed to `exec` as part of a concatenated string, which allows more than one command to be executed. However, in the block marked 'GOOD', `latlonCoords` is passed as part of an array, which means that `exec` treats it only as an argument.\n\n\n```java\nclass Test {\n public static void main(String[] args) {\n // BAD: user input might include special characters such as ampersands\n {\n String latlonCoords = args[1];\n Runtime rt = Runtime.getRuntime();\n Process exec = rt.exec(\"cmd.exe /C latlon2utm.exe \" + latlonCoords);\n }\n\n // GOOD: use an array of arguments instead of executing a string\n {\n String latlonCoords = args[1];\n Runtime rt = Runtime.getRuntime();\n Process exec = rt.exec(new String[] {\n \"c:\\\\path\\to\\latlon2utm.exe\",\n latlonCoords });\n }\n }\n}\n\n```\n\n## References\n* OWASP: [Command Injection](https://www.owasp.org/index.php/Command_Injection).\n* SEI CERT Oracle Coding Standard for Java: [IDS07-J. Sanitize untrusted data passed to the Runtime.exec() method](https://wiki.sei.cmu.edu/confluence/display/java/IDS07-J.+Sanitize+untrusted+data+passed+to+the+Runtime.exec()+method).\n* Common Weakness Enumeration: [CWE-78](https://cwe.mitre.org/data/definitions/78.html).\n* Common Weakness Enumeration: [CWE-88](https://cwe.mitre.org/data/definitions/88.html).\n", + "markdown": "# Building a command line with string concatenation\nCode that builds a command line by concatenating strings that have been entered by a user allows the user to execute malicious code.\n\n\n## Recommendation\nExecute external commands using an array of strings rather than a single string. By using an array, many possible vulnerabilities in the formatting of the string are avoided.\n\n\n## Example\nIn the following example, `latlonCoords` contains a string that has been entered by a user but not validated by the program. This allows the user to, for example, append an ampersand (&) followed by the command for a malicious program to the end of the string. The ampersand instructs Windows to execute another program. In the block marked 'BAD', `latlonCoords` is passed to `exec` as part of a concatenated string, which allows more than one command to be executed. However, in the block marked 'GOOD', `latlonCoords` is passed as part of an array, which means that `exec` treats it only as an argument.\n\n\n```java\nclass Test {\n public static void main(String[] args) {\n // BAD: user input might include special characters such as ampersands\n {\n String latlonCoords = args[1];\n Runtime rt = Runtime.getRuntime();\n Process exec = rt.exec(\"cmd.exe /C latlon2utm.exe \" + latlonCoords);\n }\n\n // GOOD: use an array of arguments instead of executing a string\n {\n String latlonCoords = args[1];\n Runtime rt = Runtime.getRuntime();\n Process exec = rt.exec(new String[] {\n \"c:\\\\path\\to\\latlon2utm.exe\",\n latlonCoords });\n }\n }\n}\n\n```\n\n## References\n* OWASP: [Command Injection](https://www.owasp.org/index.php/Command_Injection).\n* SEI CERT Oracle Coding Standard for Java: [IDS07-J. Sanitize untrusted data passed to the Runtime.exec() method](https://wiki.sei.cmu.edu/confluence/display/java/IDS07-J.+Sanitize+untrusted+data+passed+to+the+Runtime.exec()+method).\n* Common Weakness Enumeration: [CWE-78](https://cwe.mitre.org/data/definitions/78.html).\n* Common Weakness Enumeration: [CWE-88](https://cwe.mitre.org/data/definitions/88.html).\n" + }, + "properties": { + "tags": [ + "external/cwe/cwe-078", + "external/cwe/cwe-088", + "security" + ], + "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-078/ExecUnescaped.ql", + "precision": "high", + "security-severity": "9.8" + } + }, + { + "id": "java/error-message-exposure", + "name": "java/error-message-exposure", + "shortDescription": { + "text": "Information exposure through an error message" + }, + "fullDescription": { + "text": "Information from an error message propagates to an external user. Error messages can unintentionally reveal implementation details that are useful to an attacker for developing a subsequent exploit." + }, + "defaultConfiguration": { + "level": "error" + }, + "help": { + "text": "# Information exposure through an error message\nThe error message at the top of a stack trace can include information such as server-side file names and SQL code that the application relies on, allowing an attacker to fine-tune a subsequent injection attack.\n\n\n## Recommendation\nSend the user a more generic error message that reveals less information. Either suppress the error message entirely, or log it only on the server.\n\n\n## Example\nIn the following example, an exception is handled in two different ways. In the first version, labeled BAD, the exception is sent back to the remote user using the `getMessage()` method. As such, the user is able to see a detailed error message, which may contain sensitive information. In the second version, the error message is logged only on the server. That way, the developers can still access and use the error log, but remote users will not see the information.\n\n\n```java\nprotected void doGet(HttpServletRequest request, HttpServletResponse response) {\n\ttry {\n\t\tdoSomeWork();\n\t} catch (NullPointerException ex) {\n\t\t// BAD: printing a exception message back to the response\n\t\tresponse.sendError(\n\t\t\tHttpServletResponse.SC_INTERNAL_SERVER_ERROR,\n\t\t\tex.getMessage());\n\t\treturn;\n\t}\n\n\ttry {\n\t\tdoSomeWork();\n\t} catch (NullPointerException ex) {\n\t\t// GOOD: log the exception message, and send back a non-revealing response\n\t\tlog(\"Exception occurred\", ex.getMessage);\n\t\tresponse.sendError(\n\t\t\tHttpServletResponse.SC_INTERNAL_SERVER_ERROR,\n\t\t\t\"Exception occurred\");\n\t\treturn;\n\t}\n}\n\n```\n\n## References\n* OWASP: [Improper Error Handling](https://owasp.org/www-community/Improper_Error_Handling).\n* CERT Java Coding Standard: [ERR01-J. Do not allow exceptions to expose sensitive information](https://www.securecoding.cert.org/confluence/display/java/ERR01-J.+Do+not+allow+exceptions+to+expose+sensitive+information).\n* Common Weakness Enumeration: [CWE-209](https://cwe.mitre.org/data/definitions/209.html).\n", + "markdown": "# Information exposure through an error message\nThe error message at the top of a stack trace can include information such as server-side file names and SQL code that the application relies on, allowing an attacker to fine-tune a subsequent injection attack.\n\n\n## Recommendation\nSend the user a more generic error message that reveals less information. Either suppress the error message entirely, or log it only on the server.\n\n\n## Example\nIn the following example, an exception is handled in two different ways. In the first version, labeled BAD, the exception is sent back to the remote user using the `getMessage()` method. As such, the user is able to see a detailed error message, which may contain sensitive information. In the second version, the error message is logged only on the server. That way, the developers can still access and use the error log, but remote users will not see the information.\n\n\n```java\nprotected void doGet(HttpServletRequest request, HttpServletResponse response) {\n\ttry {\n\t\tdoSomeWork();\n\t} catch (NullPointerException ex) {\n\t\t// BAD: printing a exception message back to the response\n\t\tresponse.sendError(\n\t\t\tHttpServletResponse.SC_INTERNAL_SERVER_ERROR,\n\t\t\tex.getMessage());\n\t\treturn;\n\t}\n\n\ttry {\n\t\tdoSomeWork();\n\t} catch (NullPointerException ex) {\n\t\t// GOOD: log the exception message, and send back a non-revealing response\n\t\tlog(\"Exception occurred\", ex.getMessage);\n\t\tresponse.sendError(\n\t\t\tHttpServletResponse.SC_INTERNAL_SERVER_ERROR,\n\t\t\t\"Exception occurred\");\n\t\treturn;\n\t}\n}\n\n```\n\n## References\n* OWASP: [Improper Error Handling](https://owasp.org/www-community/Improper_Error_Handling).\n* CERT Java Coding Standard: [ERR01-J. Do not allow exceptions to expose sensitive information](https://www.securecoding.cert.org/confluence/display/java/ERR01-J.+Do+not+allow+exceptions+to+expose+sensitive+information).\n* Common Weakness Enumeration: [CWE-209](https://cwe.mitre.org/data/definitions/209.html).\n" + }, + "properties": { + "tags": [ + "external/cwe/cwe-209", + "security" + ], + "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-209/SensitiveDataExposureThroughErrorMessage.ql", + "precision": "high", + "security-severity": "5.4" + } + }, + { + "id": "java/groovy-injection", + "name": "java/groovy-injection", + "shortDescription": { + "text": "Groovy Language injection" + }, + "fullDescription": { + "text": "Evaluation of a user-controlled Groovy script may lead to arbitrary code execution." + }, + "defaultConfiguration": { + "level": "error" + }, + "help": { + "text": "# Groovy Language injection\nApache Groovy is a powerful, optionally typed and dynamic language, with static-typing and static compilation capabilities. It integrates smoothly with any Java program, and immediately delivers to your application powerful features, including scripting capabilities, Domain-Specific Language authoring, runtime and compile-time meta-programming and functional programming. If a Groovy script is built using attacker-controlled data, and then evaluated, then it may allow the attacker to achieve RCE.\n\n\n## Recommendation\nIt is generally recommended to avoid using untrusted input in a Groovy evaluation. If this is not possible, use a sandbox solution. Developers must also take care that Groovy compile-time metaprogramming can also lead to RCE: it is possible to achieve RCE by compiling a Groovy script (see the article \"Abusing Meta Programming for Unauthenticated RCE!\" linked below). Groovy's `SecureASTCustomizer` allows securing source code by controlling what code constructs are permitted. This is typically done when using Groovy for its scripting or domain specific language (DSL) features. The fundamental problem is that Groovy is a dynamic language, yet `SecureASTCustomizer` works by looking at Groovy AST statically. This makes it very easy for an attacker to bypass many of the intended checks (see \\[Groovy SecureASTCustomizer is harmful\\](https://kohsuke.org/2012/04/27/groovy-secureastcustomizer-is-harmful/)). Therefore, besides `SecureASTCustomizer`, runtime checks are also necessary before calling Groovy methods (see \\[Improved sandboxing of Groovy scripts\\](https://melix.github.io/blog/2015/03/sandboxing.html)). It is also possible to use a block-list method, excluding unwanted classes from being loaded by the JVM. This method is not always recommended, because block-lists can be bypassed by unexpected values.\n\n\n## Example\nThe following example uses untrusted data to evaluate a Groovy script.\n\n\n```java\npublic class GroovyInjection {\n void injectionViaClassLoader(HttpServletRequest request) { \n String script = request.getParameter(\"script\");\n final GroovyClassLoader classLoader = new GroovyClassLoader();\n Class groovy = classLoader.parseClass(script);\n GroovyObject groovyObj = (GroovyObject) groovy.newInstance();\n }\n\n void injectionViaEval(HttpServletRequest request) {\n String script = request.getParameter(\"script\");\n Eval.me(script);\n }\n\n void injectionViaGroovyShell(HttpServletRequest request) {\n GroovyShell shell = new GroovyShell();\n String script = request.getParameter(\"script\");\n shell.evaluate(script);\n }\n\n void injectionViaGroovyShellGroovyCodeSource(HttpServletRequest request) {\n GroovyShell shell = new GroovyShell();\n String script = request.getParameter(\"script\");\n GroovyCodeSource gcs = new GroovyCodeSource(script, \"test\", \"Test\");\n shell.evaluate(gcs);\n }\n}\n\n\n```\nThe following example uses classloader block-list approach to exclude loading dangerous classes.\n\n\n```java\npublic class SandboxGroovyClassLoader extends ClassLoader {\n public SandboxGroovyClassLoader(ClassLoader parent) {\n super(parent);\n }\n\n /* override `loadClass` here to prevent loading sensitive classes, such as `java.lang.Runtime`, `java.lang.ProcessBuilder`, `java.lang.System`, etc. */\n /* Note we must also block `groovy.transform.ASTTest`, `groovy.lang.GrabConfig` and `org.buildobjects.process.ProcBuilder` to prevent compile-time RCE. */\n\n static void runWithSandboxGroovyClassLoader() throws Exception {\n // GOOD: route all class-loading via sand-boxing classloader.\n SandboxGroovyClassLoader classLoader = new GroovyClassLoader(new SandboxGroovyClassLoader());\n \n Class scriptClass = classLoader.parseClass(untrusted.getQueryString());\n Object scriptInstance = scriptClass.newInstance();\n Object result = scriptClass.getDeclaredMethod(\"bar\", new Class[]{}).invoke(scriptInstance, new Object[]{});\n }\n}\n```\n\n## References\n* Orange Tsai: [Abusing Meta Programming for Unauthenticated RCE!](https://blog.orange.tw/2019/02/abusing-meta-programming-for-unauthenticated-rce.html).\n* Cédric Champeau: [Improved sandboxing of Groovy scripts](https://melix.github.io/blog/2015/03/sandboxing.html).\n* Kohsuke Kawaguchi: [Groovy SecureASTCustomizer is harmful](https://kohsuke.org/2012/04/27/groovy-secureastcustomizer-is-harmful/).\n* Welk1n: [Groovy Injection payloads](https://github.com/welk1n/exploiting-groovy-in-Java/).\n* Charles Chan: [Secure Groovy Script Execution in a Sandbox](https://levelup.gitconnected.com/secure-groovy-script-execution-in-a-sandbox-ea39f80ee87/).\n* Eugene: [Scripting and sandboxing in a JVM environment](https://stringconcat.com/en/scripting-and-sandboxing/).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n", + "markdown": "# Groovy Language injection\nApache Groovy is a powerful, optionally typed and dynamic language, with static-typing and static compilation capabilities. It integrates smoothly with any Java program, and immediately delivers to your application powerful features, including scripting capabilities, Domain-Specific Language authoring, runtime and compile-time meta-programming and functional programming. If a Groovy script is built using attacker-controlled data, and then evaluated, then it may allow the attacker to achieve RCE.\n\n\n## Recommendation\nIt is generally recommended to avoid using untrusted input in a Groovy evaluation. If this is not possible, use a sandbox solution. Developers must also take care that Groovy compile-time metaprogramming can also lead to RCE: it is possible to achieve RCE by compiling a Groovy script (see the article \"Abusing Meta Programming for Unauthenticated RCE!\" linked below). Groovy's `SecureASTCustomizer` allows securing source code by controlling what code constructs are permitted. This is typically done when using Groovy for its scripting or domain specific language (DSL) features. The fundamental problem is that Groovy is a dynamic language, yet `SecureASTCustomizer` works by looking at Groovy AST statically. This makes it very easy for an attacker to bypass many of the intended checks (see \\[Groovy SecureASTCustomizer is harmful\\](https://kohsuke.org/2012/04/27/groovy-secureastcustomizer-is-harmful/)). Therefore, besides `SecureASTCustomizer`, runtime checks are also necessary before calling Groovy methods (see \\[Improved sandboxing of Groovy scripts\\](https://melix.github.io/blog/2015/03/sandboxing.html)). It is also possible to use a block-list method, excluding unwanted classes from being loaded by the JVM. This method is not always recommended, because block-lists can be bypassed by unexpected values.\n\n\n## Example\nThe following example uses untrusted data to evaluate a Groovy script.\n\n\n```java\npublic class GroovyInjection {\n void injectionViaClassLoader(HttpServletRequest request) { \n String script = request.getParameter(\"script\");\n final GroovyClassLoader classLoader = new GroovyClassLoader();\n Class groovy = classLoader.parseClass(script);\n GroovyObject groovyObj = (GroovyObject) groovy.newInstance();\n }\n\n void injectionViaEval(HttpServletRequest request) {\n String script = request.getParameter(\"script\");\n Eval.me(script);\n }\n\n void injectionViaGroovyShell(HttpServletRequest request) {\n GroovyShell shell = new GroovyShell();\n String script = request.getParameter(\"script\");\n shell.evaluate(script);\n }\n\n void injectionViaGroovyShellGroovyCodeSource(HttpServletRequest request) {\n GroovyShell shell = new GroovyShell();\n String script = request.getParameter(\"script\");\n GroovyCodeSource gcs = new GroovyCodeSource(script, \"test\", \"Test\");\n shell.evaluate(gcs);\n }\n}\n\n\n```\nThe following example uses classloader block-list approach to exclude loading dangerous classes.\n\n\n```java\npublic class SandboxGroovyClassLoader extends ClassLoader {\n public SandboxGroovyClassLoader(ClassLoader parent) {\n super(parent);\n }\n\n /* override `loadClass` here to prevent loading sensitive classes, such as `java.lang.Runtime`, `java.lang.ProcessBuilder`, `java.lang.System`, etc. */\n /* Note we must also block `groovy.transform.ASTTest`, `groovy.lang.GrabConfig` and `org.buildobjects.process.ProcBuilder` to prevent compile-time RCE. */\n\n static void runWithSandboxGroovyClassLoader() throws Exception {\n // GOOD: route all class-loading via sand-boxing classloader.\n SandboxGroovyClassLoader classLoader = new GroovyClassLoader(new SandboxGroovyClassLoader());\n \n Class scriptClass = classLoader.parseClass(untrusted.getQueryString());\n Object scriptInstance = scriptClass.newInstance();\n Object result = scriptClass.getDeclaredMethod(\"bar\", new Class[]{}).invoke(scriptInstance, new Object[]{});\n }\n}\n```\n\n## References\n* Orange Tsai: [Abusing Meta Programming for Unauthenticated RCE!](https://blog.orange.tw/2019/02/abusing-meta-programming-for-unauthenticated-rce.html).\n* Cédric Champeau: [Improved sandboxing of Groovy scripts](https://melix.github.io/blog/2015/03/sandboxing.html).\n* Kohsuke Kawaguchi: [Groovy SecureASTCustomizer is harmful](https://kohsuke.org/2012/04/27/groovy-secureastcustomizer-is-harmful/).\n* Welk1n: [Groovy Injection payloads](https://github.com/welk1n/exploiting-groovy-in-Java/).\n* Charles Chan: [Secure Groovy Script Execution in a Sandbox](https://levelup.gitconnected.com/secure-groovy-script-execution-in-a-sandbox-ea39f80ee87/).\n* Eugene: [Scripting and sandboxing in a JVM environment](https://stringconcat.com/en/scripting-and-sandboxing/).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n" + }, + "properties": { + "tags": [ + "external/cwe/cwe-094", + "security" + ], + "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-094/GroovyInjection.ql", + "precision": "high", + "security-severity": "9.3" + } + }, + { + "id": "java/http-response-splitting", + "name": "java/http-response-splitting", + "shortDescription": { + "text": "HTTP response splitting" + }, + "fullDescription": { + "text": "Writing user input directly to an HTTP header makes code vulnerable to attack by header splitting." + }, + "defaultConfiguration": { + "level": "error" + }, + "help": { + "text": "# HTTP response splitting\nDirectly writing user input (for example, an HTTP request parameter) to an HTTP header can lead to an HTTP request-splitting or response-splitting vulnerability.\n\nHTTP response splitting can lead to vulnerabilities such as XSS and cache poisoning.\n\nHTTP request splitting can allow an attacker to inject an additional HTTP request into a client's outgoing socket connection. This can allow an attacker to perform an SSRF-like attack.\n\nIn the context of a servlet container, if the user input includes blank lines and the servlet container does not escape the blank lines, then a remote user can cause the response to turn into two separate responses. The remote user can then control one or more responses, which is also HTTP response splitting.\n\n\n## Recommendation\nGuard against HTTP header splitting in the same way as guarding against cross-site scripting. Before passing any data into HTTP headers, either check the data for special characters, or escape any special characters that are present.\n\nIf the code calls Netty API's directly, ensure that the `validateHeaders` parameter is set to `true`.\n\n\n## Example\nThe following example shows the 'name' parameter being written to a cookie in two different ways. The first way writes it directly to the cookie, and thus is vulnerable to response-splitting attacks. The second way first removes all special characters, thus avoiding the potential problem.\n\n\n```java\npublic class ResponseSplitting extends HttpServlet {\n\tprotected void doGet(HttpServletRequest request, HttpServletResponse response)\n\tthrows ServletException, IOException {\n\t\t// BAD: setting a cookie with an unvalidated parameter\n\t\tCookie cookie = new Cookie(\"name\", request.getParameter(\"name\"));\n\t\tresponse.addCookie(cookie);\n\n\t\t// GOOD: remove special characters before putting them in the header\n\t\tString name = removeSpecial(request.getParameter(\"name\"));\n\t\tCookie cookie2 = new Cookie(\"name\", name);\n\t\tresponse.addCookie(cookie2);\n\t}\n\n\tprivate static String removeSpecial(String str) {\n\t\treturn str.replaceAll(\"[^a-zA-Z ]\", \"\");\n\t}\n}\n\n```\n\n## Example\nThe following example shows the use of the library 'netty' with HTTP response-splitting verification configurations. The second way will verify the parameters before using them to build the HTTP response.\n\n\n```java\nimport io.netty.handler.codec.http.DefaultHttpHeaders;\n\npublic class ResponseSplitting {\n // BAD: Disables the internal response splitting verification\n private final DefaultHttpHeaders badHeaders = new DefaultHttpHeaders(false);\n\n // GOOD: Verifies headers passed don't contain CRLF characters\n private final DefaultHttpHeaders goodHeaders = new DefaultHttpHeaders();\n\n // BAD: Disables the internal response splitting verification\n private final DefaultHttpResponse badResponse = new DefaultHttpResponse(version, httpResponseStatus, false);\n\n // GOOD: Verifies headers passed don't contain CRLF characters\n private final DefaultHttpResponse goodResponse = new DefaultHttpResponse(version, httpResponseStatus);\n}\n\n```\n\n## Example\nThe following example shows the use of the netty library with configurations for verification of HTTP request splitting. The second recommended approach in the example verifies the parameters before using them to build the HTTP request.\n\n\n```java\npublic class NettyRequestSplitting {\n // BAD: Disables the internal request splitting verification\n private final DefaultHttpHeaders badHeaders = new DefaultHttpHeaders(false);\n\n // GOOD: Verifies headers passed don't contain CRLF characters\n private final DefaultHttpHeaders goodHeaders = new DefaultHttpHeaders();\n\n // BAD: Disables the internal request splitting verification\n private final DefaultHttpRequest badRequest = new DefaultHttpRequest(httpVersion, method, uri, false);\n\n // GOOD: Verifies headers passed don't contain CRLF characters\n private final DefaultHttpRequest goodResponse = new DefaultHttpRequest(httpVersion, method, uri);\n}\n\n```\n\n## References\n* SecLists.org: [HTTP response splitting](https://seclists.org/bugtraq/2005/Apr/187).\n* OWASP: [HTTP Response Splitting](https://www.owasp.org/index.php/HTTP_Response_Splitting).\n* Wikipedia: [HTTP response splitting](http://en.wikipedia.org/wiki/HTTP_response_splitting).\n* CAPEC: [CAPEC-105: HTTP Request Splitting](https://capec.mitre.org/data/definitions/105.html)\n* Common Weakness Enumeration: [CWE-113](https://cwe.mitre.org/data/definitions/113.html).\n", + "markdown": "# HTTP response splitting\nDirectly writing user input (for example, an HTTP request parameter) to an HTTP header can lead to an HTTP request-splitting or response-splitting vulnerability.\n\nHTTP response splitting can lead to vulnerabilities such as XSS and cache poisoning.\n\nHTTP request splitting can allow an attacker to inject an additional HTTP request into a client's outgoing socket connection. This can allow an attacker to perform an SSRF-like attack.\n\nIn the context of a servlet container, if the user input includes blank lines and the servlet container does not escape the blank lines, then a remote user can cause the response to turn into two separate responses. The remote user can then control one or more responses, which is also HTTP response splitting.\n\n\n## Recommendation\nGuard against HTTP header splitting in the same way as guarding against cross-site scripting. Before passing any data into HTTP headers, either check the data for special characters, or escape any special characters that are present.\n\nIf the code calls Netty API's directly, ensure that the `validateHeaders` parameter is set to `true`.\n\n\n## Example\nThe following example shows the 'name' parameter being written to a cookie in two different ways. The first way writes it directly to the cookie, and thus is vulnerable to response-splitting attacks. The second way first removes all special characters, thus avoiding the potential problem.\n\n\n```java\npublic class ResponseSplitting extends HttpServlet {\n\tprotected void doGet(HttpServletRequest request, HttpServletResponse response)\n\tthrows ServletException, IOException {\n\t\t// BAD: setting a cookie with an unvalidated parameter\n\t\tCookie cookie = new Cookie(\"name\", request.getParameter(\"name\"));\n\t\tresponse.addCookie(cookie);\n\n\t\t// GOOD: remove special characters before putting them in the header\n\t\tString name = removeSpecial(request.getParameter(\"name\"));\n\t\tCookie cookie2 = new Cookie(\"name\", name);\n\t\tresponse.addCookie(cookie2);\n\t}\n\n\tprivate static String removeSpecial(String str) {\n\t\treturn str.replaceAll(\"[^a-zA-Z ]\", \"\");\n\t}\n}\n\n```\n\n## Example\nThe following example shows the use of the library 'netty' with HTTP response-splitting verification configurations. The second way will verify the parameters before using them to build the HTTP response.\n\n\n```java\nimport io.netty.handler.codec.http.DefaultHttpHeaders;\n\npublic class ResponseSplitting {\n // BAD: Disables the internal response splitting verification\n private final DefaultHttpHeaders badHeaders = new DefaultHttpHeaders(false);\n\n // GOOD: Verifies headers passed don't contain CRLF characters\n private final DefaultHttpHeaders goodHeaders = new DefaultHttpHeaders();\n\n // BAD: Disables the internal response splitting verification\n private final DefaultHttpResponse badResponse = new DefaultHttpResponse(version, httpResponseStatus, false);\n\n // GOOD: Verifies headers passed don't contain CRLF characters\n private final DefaultHttpResponse goodResponse = new DefaultHttpResponse(version, httpResponseStatus);\n}\n\n```\n\n## Example\nThe following example shows the use of the netty library with configurations for verification of HTTP request splitting. The second recommended approach in the example verifies the parameters before using them to build the HTTP request.\n\n\n```java\npublic class NettyRequestSplitting {\n // BAD: Disables the internal request splitting verification\n private final DefaultHttpHeaders badHeaders = new DefaultHttpHeaders(false);\n\n // GOOD: Verifies headers passed don't contain CRLF characters\n private final DefaultHttpHeaders goodHeaders = new DefaultHttpHeaders();\n\n // BAD: Disables the internal request splitting verification\n private final DefaultHttpRequest badRequest = new DefaultHttpRequest(httpVersion, method, uri, false);\n\n // GOOD: Verifies headers passed don't contain CRLF characters\n private final DefaultHttpRequest goodResponse = new DefaultHttpRequest(httpVersion, method, uri);\n}\n\n```\n\n## References\n* SecLists.org: [HTTP response splitting](https://seclists.org/bugtraq/2005/Apr/187).\n* OWASP: [HTTP Response Splitting](https://www.owasp.org/index.php/HTTP_Response_Splitting).\n* Wikipedia: [HTTP response splitting](http://en.wikipedia.org/wiki/HTTP_response_splitting).\n* CAPEC: [CAPEC-105: HTTP Request Splitting](https://capec.mitre.org/data/definitions/105.html)\n* Common Weakness Enumeration: [CWE-113](https://cwe.mitre.org/data/definitions/113.html).\n" + }, + "properties": { + "tags": [ + "external/cwe/cwe-113", + "security" + ], + "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-113/ResponseSplitting.ql", + "precision": "high", + "security-severity": "6.1" + } + }, + { + "id": "java/implicit-cast-in-compound-assignment", + "name": "java/implicit-cast-in-compound-assignment", + "shortDescription": { + "text": "Implicit narrowing conversion in compound assignment" + }, + "fullDescription": { + "text": "Compound assignment statements (for example 'intvar += longvar') that implicitly cast a value of a wider type to a narrower type may result in information loss and numeric errors such as overflows." + }, + "defaultConfiguration": {}, + "help": { + "text": "# Implicit narrowing conversion in compound assignment\nCompound assignment statements of the form `x += y` or `x *= y` perform an implicit narrowing conversion if the type of `x` is narrower than the type of `y`. For example, `x += y` is equivalent to `x = (T)(x + y)`, where `T` is the type of `x`. This can result in information loss and numeric errors such as overflows.\n\n\n## Recommendation\nEnsure that the type of the left-hand side of the compound assignment statement is at least as wide as the type of the right-hand side.\n\n\n## Example\nIf `x` is of type `short` and `y` is of type `int`, the expression `x + y` is of type `int`. However, the expression `x += y` is equivalent to `x = (short) (x + y)`. The expression `x + y` is cast to the type of the left-hand side of the assignment: `short`, possibly leading to information loss.\n\nTo avoid implicitly narrowing the type of `x + y`, change the type of `x` to `int`. Then the types of `x` and `x + y` are both `int` and there is no need for an implicit cast.\n\n\n## References\n* J. Bloch and N. Gafter, *Java Puzzlers: Traps, Pitfalls, and Corner Cases*, Puzzle 9. Addison-Wesley, 2005.\n* Java Language Specification: [Compound Assignment Operators](https://docs.oracle.com/javase/specs/jls/se11/html/jls-15.html#jls-15.26.2), [Narrowing Primitive Conversion](https://docs.oracle.com/javase/specs/jls/se11/html/jls-5.html#jls-5.1.3).\n* SEI CERT Oracle Coding Standard for Java: [NUM00-J. Detect or prevent integer overflow](https://wiki.sei.cmu.edu/confluence/display/java/NUM00-J.+Detect+or+prevent+integer+overflow).\n* Common Weakness Enumeration: [CWE-190](https://cwe.mitre.org/data/definitions/190.html).\n* Common Weakness Enumeration: [CWE-192](https://cwe.mitre.org/data/definitions/192.html).\n* Common Weakness Enumeration: [CWE-197](https://cwe.mitre.org/data/definitions/197.html).\n* Common Weakness Enumeration: [CWE-681](https://cwe.mitre.org/data/definitions/681.html).\n", + "markdown": "# Implicit narrowing conversion in compound assignment\nCompound assignment statements of the form `x += y` or `x *= y` perform an implicit narrowing conversion if the type of `x` is narrower than the type of `y`. For example, `x += y` is equivalent to `x = (T)(x + y)`, where `T` is the type of `x`. This can result in information loss and numeric errors such as overflows.\n\n\n## Recommendation\nEnsure that the type of the left-hand side of the compound assignment statement is at least as wide as the type of the right-hand side.\n\n\n## Example\nIf `x` is of type `short` and `y` is of type `int`, the expression `x + y` is of type `int`. However, the expression `x += y` is equivalent to `x = (short) (x + y)`. The expression `x + y` is cast to the type of the left-hand side of the assignment: `short`, possibly leading to information loss.\n\nTo avoid implicitly narrowing the type of `x + y`, change the type of `x` to `int`. Then the types of `x` and `x + y` are both `int` and there is no need for an implicit cast.\n\n\n## References\n* J. Bloch and N. Gafter, *Java Puzzlers: Traps, Pitfalls, and Corner Cases*, Puzzle 9. Addison-Wesley, 2005.\n* Java Language Specification: [Compound Assignment Operators](https://docs.oracle.com/javase/specs/jls/se11/html/jls-15.html#jls-15.26.2), [Narrowing Primitive Conversion](https://docs.oracle.com/javase/specs/jls/se11/html/jls-5.html#jls-5.1.3).\n* SEI CERT Oracle Coding Standard for Java: [NUM00-J. Detect or prevent integer overflow](https://wiki.sei.cmu.edu/confluence/display/java/NUM00-J.+Detect+or+prevent+integer+overflow).\n* Common Weakness Enumeration: [CWE-190](https://cwe.mitre.org/data/definitions/190.html).\n* Common Weakness Enumeration: [CWE-192](https://cwe.mitre.org/data/definitions/192.html).\n* Common Weakness Enumeration: [CWE-197](https://cwe.mitre.org/data/definitions/197.html).\n* Common Weakness Enumeration: [CWE-681](https://cwe.mitre.org/data/definitions/681.html).\n" + }, + "properties": { + "tags": [ + "external/cwe/cwe-190", + "external/cwe/cwe-192", + "external/cwe/cwe-197", + "external/cwe/cwe-681", + "reliability", + "security" + ], + "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Likely%20Bugs/Arithmetic/InformationLoss.ql", + "precision": "very-high", + "security-severity": "8.1" + } + }, + { + "id": "java/improper-intent-verification", + "name": "java/improper-intent-verification", + "shortDescription": { + "text": "Improper verification of intent by broadcast receiver" + }, + "fullDescription": { + "text": "A broadcast receiver that does not verify intents it receives may be susceptible to unintended behavior by third party applications sending it explicit intents." + }, + "defaultConfiguration": {}, + "help": { + "text": "# Improper verification of intent by broadcast receiver\nWhen an Android application uses a `BroadcastReceiver` to receive intents, it is also able to receive explicit intents that are sent directly to it, regardless of its filter. Certain intent actions are only able to be sent by the operating system, not third-party applications. However, a `BroadcastReceiver` that is registered to receive system intents is still able to receive intents from a third-party application, so it should check that the intent received has the expected action. Otherwise, a third-party application could impersonate the system this way to cause unintended behavior, such as a denial of service.\n\n\n## Example\nIn the following code, the `ShutdownReceiver` initiates a shutdown procedure upon receiving an intent, without checking that the received action is indeed `ACTION_SHUTDOWN`. This allows third-party applications to send explicit intents to this receiver to cause a denial of service.\n\n\n```java\npublic class ShutdownReceiver extends BroadcastReceiver {\n @Override\n public void onReceive(final Context context, final Intent intent) {\n mainActivity.saveLocalData();\n mainActivity.stopActivity();\n }\n}\n```\n\n```xml\n\n \n \n \n \n \n \n \n\n```\n\n## Recommendation\nIn the `onReceive` method of a `BroadcastReceiver`, the action of the received Intent should be checked. The following code demonstrates this.\n\n\n```java\npublic class ShutdownReceiver extends BroadcastReceiver {\n @Override\n public void onReceive(final Context context, final Intent intent) {\n if (!intent.getAction().equals(Intent.ACTION_SHUTDOWN)) {\n return;\n }\n mainActivity.saveLocalData();\n mainActivity.stopActivity();\n }\n}\n```\n\n## References\n* Common Weakness Enumeration: [CWE-925](https://cwe.mitre.org/data/definitions/925.html).\n", + "markdown": "# Improper verification of intent by broadcast receiver\nWhen an Android application uses a `BroadcastReceiver` to receive intents, it is also able to receive explicit intents that are sent directly to it, regardless of its filter. Certain intent actions are only able to be sent by the operating system, not third-party applications. However, a `BroadcastReceiver` that is registered to receive system intents is still able to receive intents from a third-party application, so it should check that the intent received has the expected action. Otherwise, a third-party application could impersonate the system this way to cause unintended behavior, such as a denial of service.\n\n\n## Example\nIn the following code, the `ShutdownReceiver` initiates a shutdown procedure upon receiving an intent, without checking that the received action is indeed `ACTION_SHUTDOWN`. This allows third-party applications to send explicit intents to this receiver to cause a denial of service.\n\n\n```java\npublic class ShutdownReceiver extends BroadcastReceiver {\n @Override\n public void onReceive(final Context context, final Intent intent) {\n mainActivity.saveLocalData();\n mainActivity.stopActivity();\n }\n}\n```\n\n```xml\n\n \n \n \n \n \n \n \n\n```\n\n## Recommendation\nIn the `onReceive` method of a `BroadcastReceiver`, the action of the received Intent should be checked. The following code demonstrates this.\n\n\n```java\npublic class ShutdownReceiver extends BroadcastReceiver {\n @Override\n public void onReceive(final Context context, final Intent intent) {\n if (!intent.getAction().equals(Intent.ACTION_SHUTDOWN)) {\n return;\n }\n mainActivity.saveLocalData();\n mainActivity.stopActivity();\n }\n}\n```\n\n## References\n* Common Weakness Enumeration: [CWE-925](https://cwe.mitre.org/data/definitions/925.html).\n" + }, + "properties": { + "tags": [ + "external/cwe/cwe-925", + "security" + ], + "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-925/ImproperIntentVerification.ql", + "precision": "high", + "security-severity": "8.2" + } + }, + { + "id": "java/improper-webview-certificate-validation", + "name": "java/improper-webview-certificate-validation", + "shortDescription": { + "text": "Android `WebView` that accepts all certificates" + }, + "fullDescription": { + "text": "Trusting all certificates allows an attacker to perform a machine-in-the-middle attack." + }, + "defaultConfiguration": { + "level": "error" + }, + "help": { + "text": "# Android `WebView` that accepts all certificates\nIf the `onReceivedSslError` method of an Android `WebViewClient` always calls `proceed` on the given `SslErrorHandler`, it trusts any certificate. This allows an attacker to perform a machine-in-the-middle attack against the application, therefore breaking any security Transport Layer Security (TLS) gives.\n\nAn attack might look like this:\n\n1. The vulnerable application connects to `https://example.com`.\n1. The attacker intercepts this connection and presents a valid, self-signed certificate for `https://example.com`.\n1. The vulnerable application calls the `onReceivedSslError` method to check whether it should trust the certificate.\n1. The `onReceivedSslError` method of your `WebViewClient` calls `SslErrorHandler.proceed`.\n1. The vulnerable application accepts the certificate and proceeds with the connection since your `WevViewClient` trusted it by proceeding.\n1. The attacker can now read the data your application sends to `https://example.com` and/or alter its replies while the application thinks the connection is secure.\n\n## Recommendation\nDo not use a call `SslerrorHandler.proceed` unconditionally. If you have to use a self-signed certificate, only accept that certificate, not all certificates.\n\n\n## Example\nIn the first (bad) example, the `WebViewClient` trusts all certificates by always calling `SslErrorHandler.proceed`. In the second (good) example, only certificates signed by a certain public key are accepted.\n\n\n```java\nclass Bad extends WebViewClient {\n // BAD: All certificates are trusted.\n public void onReceivedSslError (WebView view, SslErrorHandler handler, SslError error) { // $hasResult\n handler.proceed(); \n }\n}\n\nclass Good extends WebViewClient {\n PublicKey myPubKey = ...;\n\n // GOOD: Only certificates signed by a certain public key are trusted.\n public void onReceivedSslError (WebView view, SslErrorHandler handler, SslError error) { // $hasResult\n try {\n X509Certificate cert = error.getCertificate().getX509Certificate();\n cert.verify(this.myPubKey);\n handler.proceed();\n }\n catch (CertificateException|NoSuchAlgorithmException|InvalidKeyException|NoSuchProviderException|SignatureException e) {\n handler.cancel();\n }\n } \n}\n```\n\n## References\n* [WebViewClient.onReceivedSslError documentation](https://developer.android.com/reference/android/webkit/WebViewClient?hl=en#onReceivedSslError(android.webkit.WebView,%20android.webkit.SslErrorHandler,%20android.net.http.SslError)).\n* Common Weakness Enumeration: [CWE-295](https://cwe.mitre.org/data/definitions/295.html).\n", + "markdown": "# Android `WebView` that accepts all certificates\nIf the `onReceivedSslError` method of an Android `WebViewClient` always calls `proceed` on the given `SslErrorHandler`, it trusts any certificate. This allows an attacker to perform a machine-in-the-middle attack against the application, therefore breaking any security Transport Layer Security (TLS) gives.\n\nAn attack might look like this:\n\n1. The vulnerable application connects to `https://example.com`.\n1. The attacker intercepts this connection and presents a valid, self-signed certificate for `https://example.com`.\n1. The vulnerable application calls the `onReceivedSslError` method to check whether it should trust the certificate.\n1. The `onReceivedSslError` method of your `WebViewClient` calls `SslErrorHandler.proceed`.\n1. The vulnerable application accepts the certificate and proceeds with the connection since your `WevViewClient` trusted it by proceeding.\n1. The attacker can now read the data your application sends to `https://example.com` and/or alter its replies while the application thinks the connection is secure.\n\n## Recommendation\nDo not use a call `SslerrorHandler.proceed` unconditionally. If you have to use a self-signed certificate, only accept that certificate, not all certificates.\n\n\n## Example\nIn the first (bad) example, the `WebViewClient` trusts all certificates by always calling `SslErrorHandler.proceed`. In the second (good) example, only certificates signed by a certain public key are accepted.\n\n\n```java\nclass Bad extends WebViewClient {\n // BAD: All certificates are trusted.\n public void onReceivedSslError (WebView view, SslErrorHandler handler, SslError error) { // $hasResult\n handler.proceed(); \n }\n}\n\nclass Good extends WebViewClient {\n PublicKey myPubKey = ...;\n\n // GOOD: Only certificates signed by a certain public key are trusted.\n public void onReceivedSslError (WebView view, SslErrorHandler handler, SslError error) { // $hasResult\n try {\n X509Certificate cert = error.getCertificate().getX509Certificate();\n cert.verify(this.myPubKey);\n handler.proceed();\n }\n catch (CertificateException|NoSuchAlgorithmException|InvalidKeyException|NoSuchProviderException|SignatureException e) {\n handler.cancel();\n }\n } \n}\n```\n\n## References\n* [WebViewClient.onReceivedSslError documentation](https://developer.android.com/reference/android/webkit/WebViewClient?hl=en#onReceivedSslError(android.webkit.WebView,%20android.webkit.SslErrorHandler,%20android.net.http.SslError)).\n* Common Weakness Enumeration: [CWE-295](https://cwe.mitre.org/data/definitions/295.html).\n" + }, + "properties": { + "tags": [ + "external/cwe/cwe-295", + "security" + ], + "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-295/ImproperWebViewCertificateValidation.ql", + "precision": "high", + "security-severity": "7.5" + } + }, + { + "id": "java/insecure-bean-validation", + "name": "java/insecure-bean-validation", + "shortDescription": { + "text": "Insecure Bean Validation" + }, + "fullDescription": { + "text": "User-controlled data may be evaluated as a Java EL expression, leading to arbitrary code execution." + }, + "defaultConfiguration": { + "level": "error" + }, + "help": { + "text": "# Insecure Bean Validation\nCustom error messages for constraint validators support different types of interpolation, including [Java EL expressions](https://docs.jboss.org/hibernate/validator/5.1/reference/en-US/html/chapter-message-interpolation.html#section-interpolation-with-message-expressions). Controlling part of the message template being passed to `ConstraintValidatorContext.buildConstraintViolationWithTemplate()` argument can lead to arbitrary Java code execution. Unfortunately, it is common that validated (and therefore, normally untrusted) bean properties flow into the custom error message.\n\n\n## Recommendation\nThere are different approaches to remediate the issue:\n\n* Do not include validated bean properties in the custom error message.\n* Use parameterized messages instead of string concatenation. For example:\n```\nHibernateConstraintValidatorContext context =\n constraintValidatorContext.unwrap(HibernateConstraintValidatorContext.class);\ncontext.addMessageParameter(\"foo\", \"bar\");\ncontext.buildConstraintViolationWithTemplate(\"My violation message contains a parameter {foo}\")\n .addConstraintViolation();\n```\n* Sanitize the validated bean properties to make sure that there are no EL expressions. An example of valid sanitization logic can be found [here](https://github.com/hibernate/hibernate-validator/blob/master/engine/src/main/java/org/hibernate/validator/internal/engine/messageinterpolation/util/InterpolationHelper.java#L17).\n* Disable the EL interpolation and only use `ParameterMessageInterpolator`:\n```\nValidator validator = Validation.byDefaultProvider()\n .configure()\n .messageInterpolator(new ParameterMessageInterpolator())\n .buildValidatorFactory()\n .getValidator();\n```\n* Replace Hibernate Validator with Apache BVal, which in its latest version does not interpolate EL expressions by default. Note that this replacement may not be a simple drop-in replacement.\n\n## Example\nThe following validator could result in arbitrary Java code execution:\n\n\n```java\nimport javax.validation.ConstraintValidator;\nimport javax.validation.ConstraintValidatorContext;\nimport org.hibernate.validator.constraintvalidation.HibernateConstraintValidatorContext;\nimport java.util.regex.Matcher;\nimport java.util.regex.Pattern;\n\npublic class TestValidator implements ConstraintValidator {\n\n public static class InterpolationHelper {\n\n public static final char BEGIN_TERM = '{';\n public static final char END_TERM = '}';\n public static final char EL_DESIGNATOR = '$';\n public static final char ESCAPE_CHARACTER = '\\\\';\n\n private static final Pattern ESCAPE_MESSAGE_PARAMETER_PATTERN = Pattern.compile( \"([\\\\\" + ESCAPE_CHARACTER + BEGIN_TERM + END_TERM + EL_DESIGNATOR + \"])\" );\n\n private InterpolationHelper() {\n }\n\n public static String escapeMessageParameter(String messageParameter) {\n if ( messageParameter == null ) {\n return null;\n }\n return ESCAPE_MESSAGE_PARAMETER_PATTERN.matcher( messageParameter ).replaceAll( Matcher.quoteReplacement( String.valueOf( ESCAPE_CHARACTER ) ) + \"$1\" );\n }\n\n }\n\n @Override\n public boolean isValid(String object, ConstraintValidatorContext constraintContext) {\n String value = object + \" is invalid\";\n\n // Bad: Bean properties (normally user-controlled) are passed directly to `buildConstraintViolationWithTemplate`\n constraintContext.buildConstraintViolationWithTemplate(value).addConstraintViolation().disableDefaultConstraintViolation();\n\n // Good: Bean properties (normally user-controlled) are escaped \n String escaped = InterpolationHelper.escapeMessageParameter(value);\n constraintContext.buildConstraintViolationWithTemplate(escaped).addConstraintViolation().disableDefaultConstraintViolation();\n\n // Good: Bean properties (normally user-controlled) are parameterized\n HibernateConstraintValidatorContext context = constraintContext.unwrap( HibernateConstraintValidatorContext.class );\n context.addMessageParameter( \"prop\", object );\n context.buildConstraintViolationWithTemplate( \"{prop} is invalid\").addConstraintViolation();\n return false;\n }\n\n}\n\n```\n\n## References\n* Hibernate Reference Guide: [ConstraintValidatorContext](https://docs.jboss.org/hibernate/stable/validator/reference/en-US/html_single/#_the_code_constraintvalidatorcontext_code).\n* GitHub Security Lab research: [Bean validation](https://securitylab.github.com/research/bean-validation-RCE).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n", + "markdown": "# Insecure Bean Validation\nCustom error messages for constraint validators support different types of interpolation, including [Java EL expressions](https://docs.jboss.org/hibernate/validator/5.1/reference/en-US/html/chapter-message-interpolation.html#section-interpolation-with-message-expressions). Controlling part of the message template being passed to `ConstraintValidatorContext.buildConstraintViolationWithTemplate()` argument can lead to arbitrary Java code execution. Unfortunately, it is common that validated (and therefore, normally untrusted) bean properties flow into the custom error message.\n\n\n## Recommendation\nThere are different approaches to remediate the issue:\n\n* Do not include validated bean properties in the custom error message.\n* Use parameterized messages instead of string concatenation. For example:\n```\nHibernateConstraintValidatorContext context =\n constraintValidatorContext.unwrap(HibernateConstraintValidatorContext.class);\ncontext.addMessageParameter(\"foo\", \"bar\");\ncontext.buildConstraintViolationWithTemplate(\"My violation message contains a parameter {foo}\")\n .addConstraintViolation();\n```\n* Sanitize the validated bean properties to make sure that there are no EL expressions. An example of valid sanitization logic can be found [here](https://github.com/hibernate/hibernate-validator/blob/master/engine/src/main/java/org/hibernate/validator/internal/engine/messageinterpolation/util/InterpolationHelper.java#L17).\n* Disable the EL interpolation and only use `ParameterMessageInterpolator`:\n```\nValidator validator = Validation.byDefaultProvider()\n .configure()\n .messageInterpolator(new ParameterMessageInterpolator())\n .buildValidatorFactory()\n .getValidator();\n```\n* Replace Hibernate Validator with Apache BVal, which in its latest version does not interpolate EL expressions by default. Note that this replacement may not be a simple drop-in replacement.\n\n## Example\nThe following validator could result in arbitrary Java code execution:\n\n\n```java\nimport javax.validation.ConstraintValidator;\nimport javax.validation.ConstraintValidatorContext;\nimport org.hibernate.validator.constraintvalidation.HibernateConstraintValidatorContext;\nimport java.util.regex.Matcher;\nimport java.util.regex.Pattern;\n\npublic class TestValidator implements ConstraintValidator {\n\n public static class InterpolationHelper {\n\n public static final char BEGIN_TERM = '{';\n public static final char END_TERM = '}';\n public static final char EL_DESIGNATOR = '$';\n public static final char ESCAPE_CHARACTER = '\\\\';\n\n private static final Pattern ESCAPE_MESSAGE_PARAMETER_PATTERN = Pattern.compile( \"([\\\\\" + ESCAPE_CHARACTER + BEGIN_TERM + END_TERM + EL_DESIGNATOR + \"])\" );\n\n private InterpolationHelper() {\n }\n\n public static String escapeMessageParameter(String messageParameter) {\n if ( messageParameter == null ) {\n return null;\n }\n return ESCAPE_MESSAGE_PARAMETER_PATTERN.matcher( messageParameter ).replaceAll( Matcher.quoteReplacement( String.valueOf( ESCAPE_CHARACTER ) ) + \"$1\" );\n }\n\n }\n\n @Override\n public boolean isValid(String object, ConstraintValidatorContext constraintContext) {\n String value = object + \" is invalid\";\n\n // Bad: Bean properties (normally user-controlled) are passed directly to `buildConstraintViolationWithTemplate`\n constraintContext.buildConstraintViolationWithTemplate(value).addConstraintViolation().disableDefaultConstraintViolation();\n\n // Good: Bean properties (normally user-controlled) are escaped \n String escaped = InterpolationHelper.escapeMessageParameter(value);\n constraintContext.buildConstraintViolationWithTemplate(escaped).addConstraintViolation().disableDefaultConstraintViolation();\n\n // Good: Bean properties (normally user-controlled) are parameterized\n HibernateConstraintValidatorContext context = constraintContext.unwrap( HibernateConstraintValidatorContext.class );\n context.addMessageParameter( \"prop\", object );\n context.buildConstraintViolationWithTemplate( \"{prop} is invalid\").addConstraintViolation();\n return false;\n }\n\n}\n\n```\n\n## References\n* Hibernate Reference Guide: [ConstraintValidatorContext](https://docs.jboss.org/hibernate/stable/validator/reference/en-US/html_single/#_the_code_constraintvalidatorcontext_code).\n* GitHub Security Lab research: [Bean validation](https://securitylab.github.com/research/bean-validation-RCE).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n" + }, + "properties": { + "tags": [ + "external/cwe/cwe-094", + "security" + ], + "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-094/InsecureBeanValidation.ql", + "precision": "high", + "security-severity": "9.3" + } + }, + { + "id": "java/insecure-cookie", + "name": "java/insecure-cookie", + "shortDescription": { + "text": "Failure to use secure cookies" + }, + "fullDescription": { + "text": "Insecure cookies may be sent in cleartext, which makes them vulnerable to interception." + }, + "defaultConfiguration": { + "level": "error" + }, + "help": { + "text": "# Failure to use secure cookies\nFailing to set the 'secure' flag on a cookie can cause it to be sent in cleartext. This makes it easier for an attacker to intercept.\n\n\n## Recommendation\nAlways use `setSecure` to set the 'secure' flag on a cookie before adding it to an `HttpServletResponse`.\n\n\n## Example\nThis example shows two ways of adding a cookie to an `HttpServletResponse`. The first way leaves out the setting of the 'secure' flag; the second way includes the setting of the flag.\n\n\n```java\npublic static void test(HttpServletRequest request, HttpServletResponse response) {\n\t{\n\t\tCookie cookie = new Cookie(\"secret\", \"fakesecret\");\n\t\t\n\t\t// BAD: 'secure' flag not set\n\t\tresponse.addCookie(cookie);\n\t}\n\n\t{\n\t\tCookie cookie = new Cookie(\"secret\", \"fakesecret\");\n\t\t\n\t\t// GOOD: set 'secure' flag\n\t\tcookie.setSecure(true);\n\t\tresponse.addCookie(cookie);\n\t}\n}\n```\n\n## References\n* SEI CERT Oracle Coding Standard for Java: [SER03-J. Do not serialize unencrypted, sensitive data](https://wiki.sei.cmu.edu/confluence/display/java/SER03-J.+Do+not+serialize+unencrypted+sensitive+data).\n* Java Platform, Enterprise Edition (Java EE) 7, API Specification: [Class Cookie](https://docs.oracle.com/javaee/7/api/javax/servlet/http/Cookie.html).\n* Common Weakness Enumeration: [CWE-614](https://cwe.mitre.org/data/definitions/614.html).\n", + "markdown": "# Failure to use secure cookies\nFailing to set the 'secure' flag on a cookie can cause it to be sent in cleartext. This makes it easier for an attacker to intercept.\n\n\n## Recommendation\nAlways use `setSecure` to set the 'secure' flag on a cookie before adding it to an `HttpServletResponse`.\n\n\n## Example\nThis example shows two ways of adding a cookie to an `HttpServletResponse`. The first way leaves out the setting of the 'secure' flag; the second way includes the setting of the flag.\n\n\n```java\npublic static void test(HttpServletRequest request, HttpServletResponse response) {\n\t{\n\t\tCookie cookie = new Cookie(\"secret\", \"fakesecret\");\n\t\t\n\t\t// BAD: 'secure' flag not set\n\t\tresponse.addCookie(cookie);\n\t}\n\n\t{\n\t\tCookie cookie = new Cookie(\"secret\", \"fakesecret\");\n\t\t\n\t\t// GOOD: set 'secure' flag\n\t\tcookie.setSecure(true);\n\t\tresponse.addCookie(cookie);\n\t}\n}\n```\n\n## References\n* SEI CERT Oracle Coding Standard for Java: [SER03-J. Do not serialize unencrypted, sensitive data](https://wiki.sei.cmu.edu/confluence/display/java/SER03-J.+Do+not+serialize+unencrypted+sensitive+data).\n* Java Platform, Enterprise Edition (Java EE) 7, API Specification: [Class Cookie](https://docs.oracle.com/javaee/7/api/javax/servlet/http/Cookie.html).\n* Common Weakness Enumeration: [CWE-614](https://cwe.mitre.org/data/definitions/614.html).\n" + }, + "properties": { + "tags": [ + "external/cwe/cwe-614", + "security" + ], + "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-614/InsecureCookie.ql", + "precision": "high", + "security-severity": "5" + } + }, + { + "id": "java/insecure-ldap-auth", + "name": "java/insecure-ldap-auth", + "shortDescription": { + "text": "Insecure LDAP authentication" + }, + "fullDescription": { + "text": "LDAP authentication with credentials sent in cleartext makes sensitive information vulnerable to remote attackers" + }, + "defaultConfiguration": { + "level": "error" + }, + "help": { + "text": "# Insecure LDAP authentication\nWhen using the Java LDAP API to perform LDAPv3-style extended operations and controls, a context with connection properties including user credentials is started. Transmission of LDAP credentials in cleartext allows remote attackers to obtain sensitive information by sniffing the network.\n\n\n## Recommendation\nUse the `ldaps://` protocol to send credentials through SSL or use SASL authentication.\n\n\n## Example\nIn the following (bad) example, a `ldap://` URL is used and credentials will be sent in plaintext.\n\n\n```java\nString ldapUrl = \"ldap://ad.your-server.com:389\";\nHashtable environment = new Hashtable();\nenvironment.put(Context.INITIAL_CONTEXT_FACTORY, \"com.sun.jndi.ldap.LdapCtxFactory\");\nenvironment.put(Context.PROVIDER_URL, ldapUrl);\nenvironment.put(Context.REFERRAL, \"follow\");\nenvironment.put(Context.SECURITY_AUTHENTICATION, \"simple\");\nenvironment.put(Context.SECURITY_PRINCIPAL, ldapUserName);\nenvironment.put(Context.SECURITY_CREDENTIALS, password);\nDirContext dirContext = new InitialDirContext(environment);\n\n```\nIn the following (good) example, a `ldaps://` URL is used so credentials will be encrypted with SSL.\n\n\n```java\nString ldapUrl = \"ldaps://ad.your-server.com:636\";\nHashtable environment = new Hashtable();\nenvironment.put(Context.INITIAL_CONTEXT_FACTORY, \"com.sun.jndi.ldap.LdapCtxFactory\");\nenvironment.put(Context.PROVIDER_URL, ldapUrl);\nenvironment.put(Context.REFERRAL, \"follow\");\nenvironment.put(Context.SECURITY_AUTHENTICATION, \"simple\");\nenvironment.put(Context.SECURITY_PRINCIPAL, ldapUserName);\nenvironment.put(Context.SECURITY_CREDENTIALS, password);\nDirContext dirContext = new InitialDirContext(environment);\n\n```\nIn the following (good) example, a `ldap://` URL is used, but SASL authentication is enabled so that the credentials will be encrypted.\n\n\n```java\nString ldapUrl = \"ldap://ad.your-server.com:389\";\nHashtable environment = new Hashtable();\nenvironment.put(Context.INITIAL_CONTEXT_FACTORY, \"com.sun.jndi.ldap.LdapCtxFactory\");\nenvironment.put(Context.PROVIDER_URL, ldapUrl);\nenvironment.put(Context.REFERRAL, \"follow\");\nenvironment.put(Context.SECURITY_AUTHENTICATION, \"DIGEST-MD5 GSSAPI\");\nenvironment.put(Context.SECURITY_PRINCIPAL, ldapUserName);\nenvironment.put(Context.SECURITY_CREDENTIALS, password);\nDirContext dirContext = new InitialDirContext(environment);\n\n```\n\n## References\n* Oracle: [LDAP and LDAPS URLs](https://docs.oracle.com/javase/jndi/tutorial/ldap/misc/url.html)\n* Oracle: [Simple authentication](https://docs.oracle.com/javase/tutorial/jndi/ldap/simple.html)\n* Common Weakness Enumeration: [CWE-522](https://cwe.mitre.org/data/definitions/522.html).\n* Common Weakness Enumeration: [CWE-319](https://cwe.mitre.org/data/definitions/319.html).\n", + "markdown": "# Insecure LDAP authentication\nWhen using the Java LDAP API to perform LDAPv3-style extended operations and controls, a context with connection properties including user credentials is started. Transmission of LDAP credentials in cleartext allows remote attackers to obtain sensitive information by sniffing the network.\n\n\n## Recommendation\nUse the `ldaps://` protocol to send credentials through SSL or use SASL authentication.\n\n\n## Example\nIn the following (bad) example, a `ldap://` URL is used and credentials will be sent in plaintext.\n\n\n```java\nString ldapUrl = \"ldap://ad.your-server.com:389\";\nHashtable environment = new Hashtable();\nenvironment.put(Context.INITIAL_CONTEXT_FACTORY, \"com.sun.jndi.ldap.LdapCtxFactory\");\nenvironment.put(Context.PROVIDER_URL, ldapUrl);\nenvironment.put(Context.REFERRAL, \"follow\");\nenvironment.put(Context.SECURITY_AUTHENTICATION, \"simple\");\nenvironment.put(Context.SECURITY_PRINCIPAL, ldapUserName);\nenvironment.put(Context.SECURITY_CREDENTIALS, password);\nDirContext dirContext = new InitialDirContext(environment);\n\n```\nIn the following (good) example, a `ldaps://` URL is used so credentials will be encrypted with SSL.\n\n\n```java\nString ldapUrl = \"ldaps://ad.your-server.com:636\";\nHashtable environment = new Hashtable();\nenvironment.put(Context.INITIAL_CONTEXT_FACTORY, \"com.sun.jndi.ldap.LdapCtxFactory\");\nenvironment.put(Context.PROVIDER_URL, ldapUrl);\nenvironment.put(Context.REFERRAL, \"follow\");\nenvironment.put(Context.SECURITY_AUTHENTICATION, \"simple\");\nenvironment.put(Context.SECURITY_PRINCIPAL, ldapUserName);\nenvironment.put(Context.SECURITY_CREDENTIALS, password);\nDirContext dirContext = new InitialDirContext(environment);\n\n```\nIn the following (good) example, a `ldap://` URL is used, but SASL authentication is enabled so that the credentials will be encrypted.\n\n\n```java\nString ldapUrl = \"ldap://ad.your-server.com:389\";\nHashtable environment = new Hashtable();\nenvironment.put(Context.INITIAL_CONTEXT_FACTORY, \"com.sun.jndi.ldap.LdapCtxFactory\");\nenvironment.put(Context.PROVIDER_URL, ldapUrl);\nenvironment.put(Context.REFERRAL, \"follow\");\nenvironment.put(Context.SECURITY_AUTHENTICATION, \"DIGEST-MD5 GSSAPI\");\nenvironment.put(Context.SECURITY_PRINCIPAL, ldapUserName);\nenvironment.put(Context.SECURITY_CREDENTIALS, password);\nDirContext dirContext = new InitialDirContext(environment);\n\n```\n\n## References\n* Oracle: [LDAP and LDAPS URLs](https://docs.oracle.com/javase/jndi/tutorial/ldap/misc/url.html)\n* Oracle: [Simple authentication](https://docs.oracle.com/javase/tutorial/jndi/ldap/simple.html)\n* Common Weakness Enumeration: [CWE-522](https://cwe.mitre.org/data/definitions/522.html).\n* Common Weakness Enumeration: [CWE-319](https://cwe.mitre.org/data/definitions/319.html).\n" + }, + "properties": { + "tags": [ + "external/cwe/cwe-319", + "external/cwe/cwe-522", + "security" + ], + "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-522/InsecureLdapAuth.ql", + "precision": "high", + "security-severity": "8.8" + } + }, + { + "id": "java/insecure-randomness", + "name": "java/insecure-randomness", + "shortDescription": { + "text": "Insecure randomness" + }, + "fullDescription": { + "text": "Using a cryptographically Insecure pseudo-random number generator to generate a security-sensitive value may allow an attacker to predict what value will be generated." + }, + "defaultConfiguration": {}, + "help": { + "text": "# Insecure randomness\nIf you use a cryptographically weak pseudo-random number generator to generate security-sensitive values, such as passwords, attackers can more easily predict those values.\n\nPseudo-random number generators generate a sequence of numbers that only approximates the properties of random numbers. The sequence is not truly random because it is completely determined by a relatively small set of initial values (the seed). If the random number generator is cryptographically weak, then this sequence may be easily predictable through outside observations.\n\n\n## Recommendation\nThe `java.util.Random` random number generator is not cryptographically secure. Use a secure random number generator such as `java.security.SecureRandom` instead.\n\nUse a cryptographically secure pseudo-random number generator if the output is to be used in a security-sensitive context. As a general rule, a value should be considered \"security-sensitive\" if predicting it would allow the attacker to perform an action that they would otherwise be unable to perform. For example, if an attacker could predict the random password generated for a new user, they would be able to log in as that new user.\n\n\n## Example\nThe following examples show different ways of generating a cookie with a random value.\n\nIn the first (BAD) case, we generate a fresh cookie by appending a random integer to the end of a static string. The random number generator used (`Random`) is not cryptographically secure, so it may be possible for an attacker to predict the generated cookie.\n\n\n```java\nRandom r = new Random();\n\nbyte[] bytes = new byte[16];\nr.nextBytes(bytes);\n\nString cookieValue = encode(bytes);\n\nCookie cookie = new Cookie(\"name\", cookieValue);\nresponse.addCookie(cookie);\n\n```\nIn the second (GOOD) case, we generate a fresh cookie by appending a random integer to the end of a static string. The random number generator used (`SecureRandom`) is cryptographically secure, so it is not possible for an attacker to predict the generated cookie.\n\n\n```java\nSecureRandom r = new SecureRandom();\n\nbyte[] bytes = new byte[16];\nr.nextBytes(bytes);\n\nString cookieValue = encode(bytes);\n\nCookie cookie = new Cookie(\"name\", cookieValue);\nresponse.addCookie(cookie);\n\n```\n\n## References\n* Wikipedia: [Pseudo-random number generator](http://en.wikipedia.org/wiki/Pseudorandom_number_generator).\n* Java Docs: [Random](http://docs.oracle.com/javase/8/docs/api/java/util/Random.html).\n* Java Docs: [SecureRandom](http://docs.oracle.com/javase/8/docs/api/java/security/SecureRandom.html).\n* Common Weakness Enumeration: [CWE-330](https://cwe.mitre.org/data/definitions/330.html).\n* Common Weakness Enumeration: [CWE-338](https://cwe.mitre.org/data/definitions/338.html).\n", + "markdown": "# Insecure randomness\nIf you use a cryptographically weak pseudo-random number generator to generate security-sensitive values, such as passwords, attackers can more easily predict those values.\n\nPseudo-random number generators generate a sequence of numbers that only approximates the properties of random numbers. The sequence is not truly random because it is completely determined by a relatively small set of initial values (the seed). If the random number generator is cryptographically weak, then this sequence may be easily predictable through outside observations.\n\n\n## Recommendation\nThe `java.util.Random` random number generator is not cryptographically secure. Use a secure random number generator such as `java.security.SecureRandom` instead.\n\nUse a cryptographically secure pseudo-random number generator if the output is to be used in a security-sensitive context. As a general rule, a value should be considered \"security-sensitive\" if predicting it would allow the attacker to perform an action that they would otherwise be unable to perform. For example, if an attacker could predict the random password generated for a new user, they would be able to log in as that new user.\n\n\n## Example\nThe following examples show different ways of generating a cookie with a random value.\n\nIn the first (BAD) case, we generate a fresh cookie by appending a random integer to the end of a static string. The random number generator used (`Random`) is not cryptographically secure, so it may be possible for an attacker to predict the generated cookie.\n\n\n```java\nRandom r = new Random();\n\nbyte[] bytes = new byte[16];\nr.nextBytes(bytes);\n\nString cookieValue = encode(bytes);\n\nCookie cookie = new Cookie(\"name\", cookieValue);\nresponse.addCookie(cookie);\n\n```\nIn the second (GOOD) case, we generate a fresh cookie by appending a random integer to the end of a static string. The random number generator used (`SecureRandom`) is cryptographically secure, so it is not possible for an attacker to predict the generated cookie.\n\n\n```java\nSecureRandom r = new SecureRandom();\n\nbyte[] bytes = new byte[16];\nr.nextBytes(bytes);\n\nString cookieValue = encode(bytes);\n\nCookie cookie = new Cookie(\"name\", cookieValue);\nresponse.addCookie(cookie);\n\n```\n\n## References\n* Wikipedia: [Pseudo-random number generator](http://en.wikipedia.org/wiki/Pseudorandom_number_generator).\n* Java Docs: [Random](http://docs.oracle.com/javase/8/docs/api/java/util/Random.html).\n* Java Docs: [SecureRandom](http://docs.oracle.com/javase/8/docs/api/java/security/SecureRandom.html).\n* Common Weakness Enumeration: [CWE-330](https://cwe.mitre.org/data/definitions/330.html).\n* Common Weakness Enumeration: [CWE-338](https://cwe.mitre.org/data/definitions/338.html).\n" + }, + "properties": { + "tags": [ + "external/cwe/cwe-330", + "external/cwe/cwe-338", + "security" + ], + "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-330/InsecureRandomness.ql", + "precision": "high", + "security-severity": "7.8" + } + }, + { + "id": "java/insecure-trustmanager", + "name": "java/insecure-trustmanager", + "shortDescription": { + "text": "`TrustManager` that accepts all certificates" + }, + "fullDescription": { + "text": "Trusting all certificates allows an attacker to perform a machine-in-the-middle attack." + }, + "defaultConfiguration": { + "level": "error" + }, + "help": { + "text": "# `TrustManager` that accepts all certificates\nIf the `checkServerTrusted` method of a `TrustManager` never throws a `CertificateException`, it trusts every certificate. This allows an attacker to perform a machine-in-the-middle attack against the application, therefore breaking any security Transport Layer Security (TLS) gives.\n\nAn attack might look like this:\n\n1. The vulnerable program connects to `https://example.com`.\n1. The attacker intercepts this connection and presents a valid, self-signed certificate for `https://example.com`.\n1. The vulnerable program calls the `checkServerTrusted` method to check whether it should trust the certificate.\n1. The `checkServerTrusted` method of your `TrustManager` does not throw a `CertificateException`.\n1. The vulnerable program accepts the certificate and proceeds with the connection since your `TrustManager` implicitly trusted it by not throwing an exception.\n1. The attacker can now read the data your program sends to `https://example.com` and/or alter its replies while the program thinks the connection is secure.\n\n## Recommendation\nDo not use a custom `TrustManager` that trusts any certificate. If you have to use a self-signed certificate, don't trust every certificate, but instead only trust this specific certificate. See below for an example of how to do this.\n\n\n## Example\nIn the first (bad) example, the `TrustManager` never throws a `CertificateException` and therefore implicitly trusts any certificate. This allows an attacker to perform a machine-in-the-middle attack. In the second (good) example, the self-signed certificate that should be trusted is loaded into a `KeyStore`. This explicitly defines the certificate as trusted and there is no need to create a custom `TrustManager`.\n\n\n```java\npublic static void main(String[] args) throws Exception {\n {\n class InsecureTrustManager implements X509TrustManager {\n @Override\n public X509Certificate[] getAcceptedIssuers() {\n return null;\n }\n\n @Override\n public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {\n // BAD: Does not verify the certificate chain, allowing any certificate.\n }\n\n @Override\n public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {\n\n }\n }\n SSLContext context = SSLContext.getInstance(\"TLS\");\n TrustManager[] trustManager = new TrustManager[] { new InsecureTrustManager() };\n context.init(null, trustManager, null);\n }\n {\n SSLContext context = SSLContext.getInstance(\"TLS\");\n File certificateFile = new File(\"path/to/self-signed-certificate\");\n // Create a `KeyStore` with default type\n KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());\n // `keyStore` is initially empty\n keyStore.load(null, null);\n X509Certificate generatedCertificate;\n try (InputStream cert = new FileInputStream(certificateFile)) {\n generatedCertificate = (X509Certificate) CertificateFactory.getInstance(\"X509\")\n .generateCertificate(cert);\n }\n // Add the self-signed certificate to the key store\n keyStore.setCertificateEntry(certificateFile.getName(), generatedCertificate);\n // Get default `TrustManagerFactory`\n TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());\n // Use it with our key store that trusts our self-signed certificate\n tmf.init(keyStore);\n TrustManager[] trustManagers = tmf.getTrustManagers();\n context.init(null, trustManagers, null);\n // GOOD, we are not using a custom `TrustManager` but instead have\n // added the self-signed certificate we want to trust to the key\n // store. Note, the `trustManagers` will **only** trust this one\n // certificate.\n \n URL url = new URL(\"https://self-signed.badssl.com/\");\n HttpsURLConnection conn = (HttpsURLConnection) url.openConnection();\n conn.setSSLSocketFactory(context.getSocketFactory());\n }\n}\n\n```\n\n## References\n* Android Developers: [Security with HTTPS and SSL](https://developer.android.com/training/articles/security-ssl).\n* Common Weakness Enumeration: [CWE-295](https://cwe.mitre.org/data/definitions/295.html).\n", + "markdown": "# `TrustManager` that accepts all certificates\nIf the `checkServerTrusted` method of a `TrustManager` never throws a `CertificateException`, it trusts every certificate. This allows an attacker to perform a machine-in-the-middle attack against the application, therefore breaking any security Transport Layer Security (TLS) gives.\n\nAn attack might look like this:\n\n1. The vulnerable program connects to `https://example.com`.\n1. The attacker intercepts this connection and presents a valid, self-signed certificate for `https://example.com`.\n1. The vulnerable program calls the `checkServerTrusted` method to check whether it should trust the certificate.\n1. The `checkServerTrusted` method of your `TrustManager` does not throw a `CertificateException`.\n1. The vulnerable program accepts the certificate and proceeds with the connection since your `TrustManager` implicitly trusted it by not throwing an exception.\n1. The attacker can now read the data your program sends to `https://example.com` and/or alter its replies while the program thinks the connection is secure.\n\n## Recommendation\nDo not use a custom `TrustManager` that trusts any certificate. If you have to use a self-signed certificate, don't trust every certificate, but instead only trust this specific certificate. See below for an example of how to do this.\n\n\n## Example\nIn the first (bad) example, the `TrustManager` never throws a `CertificateException` and therefore implicitly trusts any certificate. This allows an attacker to perform a machine-in-the-middle attack. In the second (good) example, the self-signed certificate that should be trusted is loaded into a `KeyStore`. This explicitly defines the certificate as trusted and there is no need to create a custom `TrustManager`.\n\n\n```java\npublic static void main(String[] args) throws Exception {\n {\n class InsecureTrustManager implements X509TrustManager {\n @Override\n public X509Certificate[] getAcceptedIssuers() {\n return null;\n }\n\n @Override\n public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {\n // BAD: Does not verify the certificate chain, allowing any certificate.\n }\n\n @Override\n public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {\n\n }\n }\n SSLContext context = SSLContext.getInstance(\"TLS\");\n TrustManager[] trustManager = new TrustManager[] { new InsecureTrustManager() };\n context.init(null, trustManager, null);\n }\n {\n SSLContext context = SSLContext.getInstance(\"TLS\");\n File certificateFile = new File(\"path/to/self-signed-certificate\");\n // Create a `KeyStore` with default type\n KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());\n // `keyStore` is initially empty\n keyStore.load(null, null);\n X509Certificate generatedCertificate;\n try (InputStream cert = new FileInputStream(certificateFile)) {\n generatedCertificate = (X509Certificate) CertificateFactory.getInstance(\"X509\")\n .generateCertificate(cert);\n }\n // Add the self-signed certificate to the key store\n keyStore.setCertificateEntry(certificateFile.getName(), generatedCertificate);\n // Get default `TrustManagerFactory`\n TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());\n // Use it with our key store that trusts our self-signed certificate\n tmf.init(keyStore);\n TrustManager[] trustManagers = tmf.getTrustManagers();\n context.init(null, trustManagers, null);\n // GOOD, we are not using a custom `TrustManager` but instead have\n // added the self-signed certificate we want to trust to the key\n // store. Note, the `trustManagers` will **only** trust this one\n // certificate.\n \n URL url = new URL(\"https://self-signed.badssl.com/\");\n HttpsURLConnection conn = (HttpsURLConnection) url.openConnection();\n conn.setSSLSocketFactory(context.getSocketFactory());\n }\n}\n\n```\n\n## References\n* Android Developers: [Security with HTTPS and SSL](https://developer.android.com/training/articles/security-ssl).\n* Common Weakness Enumeration: [CWE-295](https://cwe.mitre.org/data/definitions/295.html).\n" + }, + "properties": { + "tags": [ + "external/cwe/cwe-295", + "security" + ], + "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-295/InsecureTrustManager.ql", + "precision": "high", + "security-severity": "7.5" + } + }, + { + "id": "java/insufficient-key-size", + "name": "java/insufficient-key-size", + "shortDescription": { + "text": "Use of a cryptographic algorithm with insufficient key size" + }, + "fullDescription": { + "text": "Using cryptographic algorithms with too small a key size can allow an attacker to compromise security." + }, + "defaultConfiguration": {}, + "help": { + "text": "# Use of a cryptographic algorithm with insufficient key size\nModern encryption relies on the computational infeasibility of breaking a cipher and decoding its message without the key. As computational power increases, the ability to break ciphers grows, and key sizes need to become larger as a result. Cryptographic algorithms that use too small of a key size are vulnerable to brute force attacks, which can reveal sensitive data.\n\n\n## Recommendation\nUse a key of the recommended size or larger. The key size should be at least 128 bits for AES encryption, 256 bits for elliptic-curve cryptography (ECC), and 2048 bits for RSA, DSA, or DH encryption.\n\n\n## Example\nThe following code uses cryptographic algorithms with insufficient key sizes.\n\n\n```java\n KeyPairGenerator keyPairGen1 = KeyPairGenerator.getInstance(\"RSA\");\n keyPairGen1.initialize(1024); // BAD: Key size is less than 2048\n\n KeyPairGenerator keyPairGen2 = KeyPairGenerator.getInstance(\"DSA\");\n keyPairGen2.initialize(1024); // BAD: Key size is less than 2048\n\n KeyPairGenerator keyPairGen3 = KeyPairGenerator.getInstance(\"DH\");\n keyPairGen3.initialize(1024); // BAD: Key size is less than 2048\n\n KeyPairGenerator keyPairGen4 = KeyPairGenerator.getInstance(\"EC\");\n ECGenParameterSpec ecSpec = new ECGenParameterSpec(\"secp112r1\"); // BAD: Key size is less than 256\n keyPairGen4.initialize(ecSpec);\n\n KeyGenerator keyGen = KeyGenerator.getInstance(\"AES\");\n keyGen.init(64); // BAD: Key size is less than 128\n\n```\nTo fix the code, change the key sizes to be the recommended size or larger for each algorithm.\n\n\n## References\n* Wikipedia: [Key size](http://en.wikipedia.org/wiki/Key_size).\n* Wikipedia: [Strong cryptography](https://en.wikipedia.org/wiki/Strong_cryptography).\n* OWASP: [ Cryptographic Storage Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms).\n* OWASP: [ Testing for Weak Encryption](https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption).\n* NIST: [ Transitioning the Use of Cryptographic Algorithms and Key Lengths](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf).\n* Common Weakness Enumeration: [CWE-326](https://cwe.mitre.org/data/definitions/326.html).\n", + "markdown": "# Use of a cryptographic algorithm with insufficient key size\nModern encryption relies on the computational infeasibility of breaking a cipher and decoding its message without the key. As computational power increases, the ability to break ciphers grows, and key sizes need to become larger as a result. Cryptographic algorithms that use too small of a key size are vulnerable to brute force attacks, which can reveal sensitive data.\n\n\n## Recommendation\nUse a key of the recommended size or larger. The key size should be at least 128 bits for AES encryption, 256 bits for elliptic-curve cryptography (ECC), and 2048 bits for RSA, DSA, or DH encryption.\n\n\n## Example\nThe following code uses cryptographic algorithms with insufficient key sizes.\n\n\n```java\n KeyPairGenerator keyPairGen1 = KeyPairGenerator.getInstance(\"RSA\");\n keyPairGen1.initialize(1024); // BAD: Key size is less than 2048\n\n KeyPairGenerator keyPairGen2 = KeyPairGenerator.getInstance(\"DSA\");\n keyPairGen2.initialize(1024); // BAD: Key size is less than 2048\n\n KeyPairGenerator keyPairGen3 = KeyPairGenerator.getInstance(\"DH\");\n keyPairGen3.initialize(1024); // BAD: Key size is less than 2048\n\n KeyPairGenerator keyPairGen4 = KeyPairGenerator.getInstance(\"EC\");\n ECGenParameterSpec ecSpec = new ECGenParameterSpec(\"secp112r1\"); // BAD: Key size is less than 256\n keyPairGen4.initialize(ecSpec);\n\n KeyGenerator keyGen = KeyGenerator.getInstance(\"AES\");\n keyGen.init(64); // BAD: Key size is less than 128\n\n```\nTo fix the code, change the key sizes to be the recommended size or larger for each algorithm.\n\n\n## References\n* Wikipedia: [Key size](http://en.wikipedia.org/wiki/Key_size).\n* Wikipedia: [Strong cryptography](https://en.wikipedia.org/wiki/Strong_cryptography).\n* OWASP: [ Cryptographic Storage Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms).\n* OWASP: [ Testing for Weak Encryption](https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption).\n* NIST: [ Transitioning the Use of Cryptographic Algorithms and Key Lengths](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf).\n* Common Weakness Enumeration: [CWE-326](https://cwe.mitre.org/data/definitions/326.html).\n" + }, + "properties": { + "tags": [ + "external/cwe/cwe-326", + "security" + ], + "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-326/InsufficientKeySize.ql", + "precision": "high", + "security-severity": "7.5" + } + }, + { + "id": "java/jexl-expression-injection", + "name": "java/jexl-expression-injection", + "shortDescription": { + "text": "Expression language injection (JEXL)" + }, + "fullDescription": { + "text": "Evaluation of a user-controlled JEXL expression may lead to arbitrary code execution." + }, + "defaultConfiguration": { + "level": "error" + }, + "help": { + "text": "# Expression language injection (JEXL)\nJava EXpression Language (JEXL) is a simple expression language provided by the Apache Commons JEXL library. The syntax is close to a mix of ECMAScript and shell-script. The language allows invocation of methods available in the JVM. If a JEXL expression is built using attacker-controlled data, and then evaluated, then it may allow the attacker to run arbitrary code.\n\n\n## Recommendation\nIt is generally recommended to avoid using untrusted input in a JEXL expression. If it is not possible, JEXL expressions should be run in a sandbox that allows accessing only explicitly allowed classes.\n\n\n## Example\nThe following example uses untrusted data to build and run a JEXL expression.\n\n\n```java\npublic void evaluate(Socket socket) throws IOException {\n try (BufferedReader reader = new BufferedReader(\n new InputStreamReader(socket.getInputStream()))) {\n \n String input = reader.readLine();\n JexlEngine jexl = new JexlBuilder().create();\n JexlExpression expression = jexl.createExpression(input);\n JexlContext context = new MapContext();\n expression.evaluate(context);\n }\n}\n```\nThe next example shows how an untrusted JEXL expression can be run in a sandbox that allows accessing only methods in the `java.lang.Math` class. The sandbox is implemented using `JexlSandbox` class that is provided by Apache Commons JEXL 3.\n\n\n```java\npublic void evaluate(Socket socket) throws IOException {\n try (BufferedReader reader = new BufferedReader(\n new InputStreamReader(socket.getInputStream()))) {\n \n JexlSandbox onlyMath = new JexlSandbox(false);\n onlyMath.white(\"java.lang.Math\");\n JexlEngine jexl = new JexlBuilder().sandbox(onlyMath).create();\n \n String input = reader.readLine();\n JexlExpression expression = jexl.createExpression(input);\n JexlContext context = new MapContext();\n expression.evaluate(context);\n }\n}\n```\nThe next example shows another way how a sandbox can be implemented. It uses a custom implementation of `JexlUberspect` that checks if callees are instances of allowed classes.\n\n\n```java\npublic void evaluate(Socket socket) throws IOException {\n try (BufferedReader reader = new BufferedReader(\n new InputStreamReader(socket.getInputStream()))) {\n \n JexlUberspect sandbox = new JexlUberspectSandbox();\n JexlEngine jexl = new JexlBuilder().uberspect(sandbox).create();\n \n String input = reader.readLine();\n JexlExpression expression = jexl.createExpression(input);\n JexlContext context = new MapContext();\n expression.evaluate(context);\n }\n\n private static class JexlUberspectSandbox implements JexlUberspect {\n\n private static final List ALLOWED_CLASSES =\n Arrays.asList(\"java.lang.Math\", \"java.util.Random\");\n\n private final JexlUberspect uberspect = new JexlBuilder().create().getUberspect();\n\n private void checkAccess(Object obj) {\n if (!ALLOWED_CLASSES.contains(obj.getClass().getCanonicalName())) {\n throw new AccessControlException(\"Not allowed\");\n }\n }\n\n @Override\n public JexlMethod getMethod(Object obj, String method, Object... args) {\n checkAccess(obj);\n return uberspect.getMethod(obj, method, args);\n }\n\n @Override\n public List getResolvers(JexlOperator op, Object obj) {\n checkAccess(obj);\n return uberspect.getResolvers(op, obj);\n }\n\n @Override\n public void setClassLoader(ClassLoader loader) {\n uberspect.setClassLoader(loader);\n }\n\n @Override\n public int getVersion() {\n return uberspect.getVersion();\n }\n\n @Override\n public JexlMethod getConstructor(Object obj, Object... args) {\n checkAccess(obj);\n return uberspect.getConstructor(obj, args);\n }\n\n @Override\n public JexlPropertyGet getPropertyGet(Object obj, Object identifier) {\n checkAccess(obj);\n return uberspect.getPropertyGet(obj, identifier);\n }\n\n @Override\n public JexlPropertyGet getPropertyGet(List resolvers, Object obj, Object identifier) {\n checkAccess(obj);\n return uberspect.getPropertyGet(resolvers, obj, identifier);\n }\n\n @Override\n public JexlPropertySet getPropertySet(Object obj, Object identifier, Object arg) {\n checkAccess(obj);\n return uberspect.getPropertySet(obj, identifier, arg);\n }\n\n @Override\n public JexlPropertySet getPropertySet(List resolvers, Object obj, Object identifier, Object arg) {\n checkAccess(obj);\n return uberspect.getPropertySet(resolvers, obj, identifier, arg);\n }\n\n @Override\n public Iterator getIterator(Object obj) {\n checkAccess(obj);\n return uberspect.getIterator(obj);\n }\n\n @Override\n public JexlArithmetic.Uberspect getArithmetic(JexlArithmetic arithmetic) {\n return uberspect.getArithmetic(arithmetic);\n } \n }\n}\n```\n\n## References\n* Apache Commons JEXL: [Project page](https://commons.apache.org/proper/commons-jexl/).\n* Apache Commons JEXL documentation: [JEXL 2.1.1 API](https://commons.apache.org/proper/commons-jexl/javadocs/apidocs-2.1.1/).\n* Apache Commons JEXL documentation: [JEXL 3.1 API](https://commons.apache.org/proper/commons-jexl/apidocs/index.html).\n* OWASP: [Expression Language Injection](https://owasp.org/www-community/vulnerabilities/Expression_Language_Injection).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n", + "markdown": "# Expression language injection (JEXL)\nJava EXpression Language (JEXL) is a simple expression language provided by the Apache Commons JEXL library. The syntax is close to a mix of ECMAScript and shell-script. The language allows invocation of methods available in the JVM. If a JEXL expression is built using attacker-controlled data, and then evaluated, then it may allow the attacker to run arbitrary code.\n\n\n## Recommendation\nIt is generally recommended to avoid using untrusted input in a JEXL expression. If it is not possible, JEXL expressions should be run in a sandbox that allows accessing only explicitly allowed classes.\n\n\n## Example\nThe following example uses untrusted data to build and run a JEXL expression.\n\n\n```java\npublic void evaluate(Socket socket) throws IOException {\n try (BufferedReader reader = new BufferedReader(\n new InputStreamReader(socket.getInputStream()))) {\n \n String input = reader.readLine();\n JexlEngine jexl = new JexlBuilder().create();\n JexlExpression expression = jexl.createExpression(input);\n JexlContext context = new MapContext();\n expression.evaluate(context);\n }\n}\n```\nThe next example shows how an untrusted JEXL expression can be run in a sandbox that allows accessing only methods in the `java.lang.Math` class. The sandbox is implemented using `JexlSandbox` class that is provided by Apache Commons JEXL 3.\n\n\n```java\npublic void evaluate(Socket socket) throws IOException {\n try (BufferedReader reader = new BufferedReader(\n new InputStreamReader(socket.getInputStream()))) {\n \n JexlSandbox onlyMath = new JexlSandbox(false);\n onlyMath.white(\"java.lang.Math\");\n JexlEngine jexl = new JexlBuilder().sandbox(onlyMath).create();\n \n String input = reader.readLine();\n JexlExpression expression = jexl.createExpression(input);\n JexlContext context = new MapContext();\n expression.evaluate(context);\n }\n}\n```\nThe next example shows another way how a sandbox can be implemented. It uses a custom implementation of `JexlUberspect` that checks if callees are instances of allowed classes.\n\n\n```java\npublic void evaluate(Socket socket) throws IOException {\n try (BufferedReader reader = new BufferedReader(\n new InputStreamReader(socket.getInputStream()))) {\n \n JexlUberspect sandbox = new JexlUberspectSandbox();\n JexlEngine jexl = new JexlBuilder().uberspect(sandbox).create();\n \n String input = reader.readLine();\n JexlExpression expression = jexl.createExpression(input);\n JexlContext context = new MapContext();\n expression.evaluate(context);\n }\n\n private static class JexlUberspectSandbox implements JexlUberspect {\n\n private static final List ALLOWED_CLASSES =\n Arrays.asList(\"java.lang.Math\", \"java.util.Random\");\n\n private final JexlUberspect uberspect = new JexlBuilder().create().getUberspect();\n\n private void checkAccess(Object obj) {\n if (!ALLOWED_CLASSES.contains(obj.getClass().getCanonicalName())) {\n throw new AccessControlException(\"Not allowed\");\n }\n }\n\n @Override\n public JexlMethod getMethod(Object obj, String method, Object... args) {\n checkAccess(obj);\n return uberspect.getMethod(obj, method, args);\n }\n\n @Override\n public List getResolvers(JexlOperator op, Object obj) {\n checkAccess(obj);\n return uberspect.getResolvers(op, obj);\n }\n\n @Override\n public void setClassLoader(ClassLoader loader) {\n uberspect.setClassLoader(loader);\n }\n\n @Override\n public int getVersion() {\n return uberspect.getVersion();\n }\n\n @Override\n public JexlMethod getConstructor(Object obj, Object... args) {\n checkAccess(obj);\n return uberspect.getConstructor(obj, args);\n }\n\n @Override\n public JexlPropertyGet getPropertyGet(Object obj, Object identifier) {\n checkAccess(obj);\n return uberspect.getPropertyGet(obj, identifier);\n }\n\n @Override\n public JexlPropertyGet getPropertyGet(List resolvers, Object obj, Object identifier) {\n checkAccess(obj);\n return uberspect.getPropertyGet(resolvers, obj, identifier);\n }\n\n @Override\n public JexlPropertySet getPropertySet(Object obj, Object identifier, Object arg) {\n checkAccess(obj);\n return uberspect.getPropertySet(obj, identifier, arg);\n }\n\n @Override\n public JexlPropertySet getPropertySet(List resolvers, Object obj, Object identifier, Object arg) {\n checkAccess(obj);\n return uberspect.getPropertySet(resolvers, obj, identifier, arg);\n }\n\n @Override\n public Iterator getIterator(Object obj) {\n checkAccess(obj);\n return uberspect.getIterator(obj);\n }\n\n @Override\n public JexlArithmetic.Uberspect getArithmetic(JexlArithmetic arithmetic) {\n return uberspect.getArithmetic(arithmetic);\n } \n }\n}\n```\n\n## References\n* Apache Commons JEXL: [Project page](https://commons.apache.org/proper/commons-jexl/).\n* Apache Commons JEXL documentation: [JEXL 2.1.1 API](https://commons.apache.org/proper/commons-jexl/javadocs/apidocs-2.1.1/).\n* Apache Commons JEXL documentation: [JEXL 3.1 API](https://commons.apache.org/proper/commons-jexl/apidocs/index.html).\n* OWASP: [Expression Language Injection](https://owasp.org/www-community/vulnerabilities/Expression_Language_Injection).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n" + }, + "properties": { + "tags": [ + "external/cwe/cwe-094", + "security" + ], + "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-094/JexlInjection.ql", + "precision": "high", + "security-severity": "9.3" + } + }, + { + "id": "java/jhipster-prng", + "name": "java/jhipster-prng", + "shortDescription": { + "text": "Detect JHipster Generator Vulnerability CVE-2019-16303" + }, + "fullDescription": { + "text": "Using a vulnerable version of JHipster to generate random numbers makes it easier for attackers to take over accounts." + }, + "defaultConfiguration": { + "level": "error" + }, + "help": { + "text": "# Detect JHipster Generator Vulnerability CVE-2019-16303\nThis query detects instances of `RandomUtil.java` that were generated by a [JHipster](https://www.jhipster.tech/) version that is vulnerable to [CVE-2019-16303](https://github.com/jhipster/jhipster-kotlin/security/advisories/GHSA-j3rh-8vwq-wh84).\n\nIf an app uses `RandomUtil.java` generated by a vulnerable version of JHipster, attackers can request a password reset token and use this to predict the value of future reset tokens generated by this server. Using this information, they can create a reset link that allows them to take over any account.\n\nThis vulnerability has a [ CVSS v3.0 Base Score of 9.8/10 ](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2019-16303&vector=AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H&version=3.1&source=NIST).\n\n\n## Example\nThe example below shows the vulnerable `RandomUtil` class generated by [JHipster prior to version 6.3.0](https://www.jhipster.tech/2019/09/13/jhipster-release-6.3.0.html).\n\n\n```java\nimport org.apache.commons.lang3.RandomStringUtils;\n\n/**\n * Utility class for generating random Strings.\n */\npublic final class RandomUtil {\n\n private static final int DEF_COUNT = 20;\n\n private RandomUtil() {\n }\n\n /**\n * Generate a password.\n *\n * @return the generated password.\n */\n public static String generatePassword() {\n return RandomStringUtils.randomAlphanumeric(DEF_COUNT); // BAD: RandomStringUtils does not use SecureRandom\n }\n\n /**\n * Generate an activation key.\n *\n * @return the generated activation key.\n */\n public static String generateActivationKey() {\n return RandomStringUtils.randomNumeric(DEF_COUNT); // BAD: RandomStringUtils does not use SecureRandom\n }\n\n /**\n * Generate a reset key.\n *\n * @return the generated reset key.\n */\n public static String generateResetKey() {\n return RandomStringUtils.randomNumeric(DEF_COUNT); // BAD: RandomStringUtils does not use SecureRandom\n }\n\n /**\n * Generate a unique series to validate a persistent token, used in the\n * authentication remember-me mechanism.\n *\n * @return the generated series data.\n */\n public static String generateSeriesData() {\n return RandomStringUtils.randomAlphanumeric(DEF_COUNT); // BAD: RandomStringUtils does not use SecureRandom\n }\n\n /**\n * Generate a persistent token, used in the authentication remember-me mechanism.\n *\n * @return the generated token data.\n */\n public static String generateTokenData() {\n return RandomStringUtils.randomAlphanumeric(DEF_COUNT); // BAD: RandomStringUtils does not use SecureRandom\n }\n}\n\n```\nBelow is a fixed version of the `RandomUtil` class.\n\n\n```java\nimport org.apache.commons.lang3.RandomStringUtils;\n\nimport java.security.SecureRandom;\n\n/**\n * Utility class for generating random Strings.\n */\npublic final class RandomUtil {\n private static final SecureRandom SECURE_RANDOM = new SecureRandom(); // GOOD: Using SecureRandom\n\n private static final int DEF_COUNT = 20;\n\n static {\n SECURE_RANDOM.nextBytes(new byte[64]);\n }\n\n private RandomUtil() {\n }\n\n private static String generateRandomAlphanumericString() {\n // GOOD: Passing Secure Random to RandomStringUtils::random\n return RandomStringUtils.random(DEF_COUNT, 0, 0, true, true, null, SECURE_RANDOM);\n }\n\n /**\n * Generate a password.\n *\n * @return the generated password.\n */\n public static String generatePassword() {\n return generateRandomAlphanumericString();\n }\n\n /**\n * Generate an activation key.\n *\n * @return the generated activation key.\n */\n public static String generateActivationKey() {\n return generateRandomAlphanumericString();\n }\n\n /**\n * Generate a reset key.\n *\n * @return the generated reset key.\n */\n public static String generateResetKey() {\n return generateRandomAlphanumericString();\n }\n\n /**\n * Generate a unique series to validate a persistent token, used in the\n * authentication remember-me mechanism.\n *\n * @return the generated series data.\n */\n public static String generateSeriesData() {\n return generateRandomAlphanumericString();\n }\n\n /**\n * Generate a persistent token, used in the authentication remember-me mechanism.\n *\n * @return the generated token data.\n */\n public static String generateTokenData() {\n return generateRandomAlphanumericString();\n }\n}\n\n```\n\n## Recommendation\nYou should refactor the `RandomUtil` class and replace every call to `RandomStringUtils.randomAlphaNumeric`. You could regenerate the class using the latest version of JHipster, or use an automated refactoring. For example, using the [Patching JHipster CWE-338](https://github.com/moderneinc/jhipster-cwe-338) for the [Rewrite project](https://github.com/openrewrite/rewrite).\n\n\n## References\n* Cloudflare Blog: [ Why secure systems require random numbers ](https://blog.cloudflare.com/why-randomness-matters/)\n* Hacker News: [ How I Hacked Hacker News (with arc security advisory) ](https://news.ycombinator.com/item?id=639976)\n* Posts by Pucara Information Security Team: [ The Java Soothsayer: A practical application for insecure randomness. (Includes free 0day) ](https://blog.pucarasec.com/2020/05/09/the-java-soothsayer-a-practical-application-for-insecure-randomness-includes-free-0day/)\n* Common Weakness Enumeration: [CWE-338](https://cwe.mitre.org/data/definitions/338.html).\n", + "markdown": "# Detect JHipster Generator Vulnerability CVE-2019-16303\nThis query detects instances of `RandomUtil.java` that were generated by a [JHipster](https://www.jhipster.tech/) version that is vulnerable to [CVE-2019-16303](https://github.com/jhipster/jhipster-kotlin/security/advisories/GHSA-j3rh-8vwq-wh84).\n\nIf an app uses `RandomUtil.java` generated by a vulnerable version of JHipster, attackers can request a password reset token and use this to predict the value of future reset tokens generated by this server. Using this information, they can create a reset link that allows them to take over any account.\n\nThis vulnerability has a [ CVSS v3.0 Base Score of 9.8/10 ](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2019-16303&vector=AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H&version=3.1&source=NIST).\n\n\n## Example\nThe example below shows the vulnerable `RandomUtil` class generated by [JHipster prior to version 6.3.0](https://www.jhipster.tech/2019/09/13/jhipster-release-6.3.0.html).\n\n\n```java\nimport org.apache.commons.lang3.RandomStringUtils;\n\n/**\n * Utility class for generating random Strings.\n */\npublic final class RandomUtil {\n\n private static final int DEF_COUNT = 20;\n\n private RandomUtil() {\n }\n\n /**\n * Generate a password.\n *\n * @return the generated password.\n */\n public static String generatePassword() {\n return RandomStringUtils.randomAlphanumeric(DEF_COUNT); // BAD: RandomStringUtils does not use SecureRandom\n }\n\n /**\n * Generate an activation key.\n *\n * @return the generated activation key.\n */\n public static String generateActivationKey() {\n return RandomStringUtils.randomNumeric(DEF_COUNT); // BAD: RandomStringUtils does not use SecureRandom\n }\n\n /**\n * Generate a reset key.\n *\n * @return the generated reset key.\n */\n public static String generateResetKey() {\n return RandomStringUtils.randomNumeric(DEF_COUNT); // BAD: RandomStringUtils does not use SecureRandom\n }\n\n /**\n * Generate a unique series to validate a persistent token, used in the\n * authentication remember-me mechanism.\n *\n * @return the generated series data.\n */\n public static String generateSeriesData() {\n return RandomStringUtils.randomAlphanumeric(DEF_COUNT); // BAD: RandomStringUtils does not use SecureRandom\n }\n\n /**\n * Generate a persistent token, used in the authentication remember-me mechanism.\n *\n * @return the generated token data.\n */\n public static String generateTokenData() {\n return RandomStringUtils.randomAlphanumeric(DEF_COUNT); // BAD: RandomStringUtils does not use SecureRandom\n }\n}\n\n```\nBelow is a fixed version of the `RandomUtil` class.\n\n\n```java\nimport org.apache.commons.lang3.RandomStringUtils;\n\nimport java.security.SecureRandom;\n\n/**\n * Utility class for generating random Strings.\n */\npublic final class RandomUtil {\n private static final SecureRandom SECURE_RANDOM = new SecureRandom(); // GOOD: Using SecureRandom\n\n private static final int DEF_COUNT = 20;\n\n static {\n SECURE_RANDOM.nextBytes(new byte[64]);\n }\n\n private RandomUtil() {\n }\n\n private static String generateRandomAlphanumericString() {\n // GOOD: Passing Secure Random to RandomStringUtils::random\n return RandomStringUtils.random(DEF_COUNT, 0, 0, true, true, null, SECURE_RANDOM);\n }\n\n /**\n * Generate a password.\n *\n * @return the generated password.\n */\n public static String generatePassword() {\n return generateRandomAlphanumericString();\n }\n\n /**\n * Generate an activation key.\n *\n * @return the generated activation key.\n */\n public static String generateActivationKey() {\n return generateRandomAlphanumericString();\n }\n\n /**\n * Generate a reset key.\n *\n * @return the generated reset key.\n */\n public static String generateResetKey() {\n return generateRandomAlphanumericString();\n }\n\n /**\n * Generate a unique series to validate a persistent token, used in the\n * authentication remember-me mechanism.\n *\n * @return the generated series data.\n */\n public static String generateSeriesData() {\n return generateRandomAlphanumericString();\n }\n\n /**\n * Generate a persistent token, used in the authentication remember-me mechanism.\n *\n * @return the generated token data.\n */\n public static String generateTokenData() {\n return generateRandomAlphanumericString();\n }\n}\n\n```\n\n## Recommendation\nYou should refactor the `RandomUtil` class and replace every call to `RandomStringUtils.randomAlphaNumeric`. You could regenerate the class using the latest version of JHipster, or use an automated refactoring. For example, using the [Patching JHipster CWE-338](https://github.com/moderneinc/jhipster-cwe-338) for the [Rewrite project](https://github.com/openrewrite/rewrite).\n\n\n## References\n* Cloudflare Blog: [ Why secure systems require random numbers ](https://blog.cloudflare.com/why-randomness-matters/)\n* Hacker News: [ How I Hacked Hacker News (with arc security advisory) ](https://news.ycombinator.com/item?id=639976)\n* Posts by Pucara Information Security Team: [ The Java Soothsayer: A practical application for insecure randomness. (Includes free 0day) ](https://blog.pucarasec.com/2020/05/09/the-java-soothsayer-a-practical-application-for-insecure-randomness-includes-free-0day/)\n* Common Weakness Enumeration: [CWE-338](https://cwe.mitre.org/data/definitions/338.html).\n" + }, + "properties": { + "tags": [ + "external/cwe/cwe-338", + "security" + ], + "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-338/JHipsterGeneratedPRNG.ql", + "precision": "very-high", + "security-severity": "7.8" + } + }, + { + "id": "java/jndi-injection", + "name": "java/jndi-injection", + "shortDescription": { + "text": "JNDI lookup with user-controlled name" + }, + "fullDescription": { + "text": "Performing a JNDI lookup with a user-controlled name can lead to the download of an untrusted object and to execution of arbitrary code." + }, + "defaultConfiguration": { + "level": "error" + }, + "help": { + "text": "# JNDI lookup with user-controlled name\nThe Java Naming and Directory Interface (JNDI) is a Java API for a directory service that allows Java software clients to discover and look up data and resources (in the form of Java objects) via a name. If the name being used to look up the data is controlled by the user, it can point to a malicious server, which can return an arbitrary object. In the worst case, this can allow remote code execution.\n\n\n## Recommendation\nThe general recommendation is to avoid passing untrusted data to the `InitialContext.lookup ` method. If the name being used to look up the object must be provided by the user, make sure that it's not in the form of an absolute URL or that it's the URL pointing to a trusted server.\n\n\n## Example\nIn the following examples, the code accepts a name from the user, which it uses to look up an object.\n\nIn the first example, the user provided name is used to look up an object.\n\nThe second example validates the name before using it to look up an object.\n\n\n```java\nimport javax.naming.Context;\nimport javax.naming.InitialContext;\n\npublic void jndiLookup(HttpServletRequest request) throws NamingException {\n String name = request.getParameter(\"name\");\n\n Hashtable env = new Hashtable();\n env.put(Context.INITIAL_CONTEXT_FACTORY, \"com.sun.jndi.rmi.registry.RegistryContextFactory\");\n env.put(Context.PROVIDER_URL, \"rmi://trusted-server:1099\");\n InitialContext ctx = new InitialContext(env);\n\n // BAD: User input used in lookup\n ctx.lookup(name);\n\n // GOOD: The name is validated before being used in lookup\n if (isValid(name)) {\n ctx.lookup(name);\n } else {\n // Reject the request\n }\n}\n```\n\n## References\n* Oracle: [Java Naming and Directory Interface (JNDI)](https://docs.oracle.com/javase/8/docs/technotes/guides/jndi/).\n* Black Hat materials: [A Journey from JNDI/LDAP Manipulation to Remote Code Execution Dream Land](https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE-wp.pdf).\n* Veracode: [Exploiting JNDI Injections in Java](https://www.veracode.com/blog/research/exploiting-jndi-injections-java).\n* Common Weakness Enumeration: [CWE-74](https://cwe.mitre.org/data/definitions/74.html).\n", + "markdown": "# JNDI lookup with user-controlled name\nThe Java Naming and Directory Interface (JNDI) is a Java API for a directory service that allows Java software clients to discover and look up data and resources (in the form of Java objects) via a name. If the name being used to look up the data is controlled by the user, it can point to a malicious server, which can return an arbitrary object. In the worst case, this can allow remote code execution.\n\n\n## Recommendation\nThe general recommendation is to avoid passing untrusted data to the `InitialContext.lookup ` method. If the name being used to look up the object must be provided by the user, make sure that it's not in the form of an absolute URL or that it's the URL pointing to a trusted server.\n\n\n## Example\nIn the following examples, the code accepts a name from the user, which it uses to look up an object.\n\nIn the first example, the user provided name is used to look up an object.\n\nThe second example validates the name before using it to look up an object.\n\n\n```java\nimport javax.naming.Context;\nimport javax.naming.InitialContext;\n\npublic void jndiLookup(HttpServletRequest request) throws NamingException {\n String name = request.getParameter(\"name\");\n\n Hashtable env = new Hashtable();\n env.put(Context.INITIAL_CONTEXT_FACTORY, \"com.sun.jndi.rmi.registry.RegistryContextFactory\");\n env.put(Context.PROVIDER_URL, \"rmi://trusted-server:1099\");\n InitialContext ctx = new InitialContext(env);\n\n // BAD: User input used in lookup\n ctx.lookup(name);\n\n // GOOD: The name is validated before being used in lookup\n if (isValid(name)) {\n ctx.lookup(name);\n } else {\n // Reject the request\n }\n}\n```\n\n## References\n* Oracle: [Java Naming and Directory Interface (JNDI)](https://docs.oracle.com/javase/8/docs/technotes/guides/jndi/).\n* Black Hat materials: [A Journey from JNDI/LDAP Manipulation to Remote Code Execution Dream Land](https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE-wp.pdf).\n* Veracode: [Exploiting JNDI Injections in Java](https://www.veracode.com/blog/research/exploiting-jndi-injections-java).\n* Common Weakness Enumeration: [CWE-74](https://cwe.mitre.org/data/definitions/74.html).\n" + }, + "properties": { + "tags": [ + "external/cwe/cwe-074", + "security" + ], + "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-074/JndiInjection.ql", + "precision": "high", + "security-severity": "9.8" + } + }, + { + "id": "java/ldap-injection", + "name": "java/ldap-injection", + "shortDescription": { + "text": "LDAP query built from user-controlled sources" + }, + "fullDescription": { + "text": "Building an LDAP query from user-controlled sources is vulnerable to insertion of malicious LDAP code by the user." + }, + "defaultConfiguration": { + "level": "error" + }, + "help": { + "text": "# LDAP query built from user-controlled sources\nIf an LDAP query is built using string concatenation, and the components of the concatenation include user input, a user is likely to be able to run malicious LDAP queries.\n\n\n## Recommendation\nIf user input must be included in an LDAP query, it should be escaped to avoid a malicious user providing special characters that change the meaning of the query. If possible build the LDAP query using framework helper methods, for example from Spring's `LdapQueryBuilder` and `LdapNameBuilder`, instead of string concatenation. Alternatively, escape user input using an appropriate LDAP encoding method, for example: `encodeForLDAP` or `encodeForDN` from OWASP ESAPI, `LdapEncoder.filterEncode` or `LdapEncoder.nameEncode` from Spring LDAP, or `Filter.encodeValue` from UnboundID library.\n\n\n## Example\nIn the following examples, the code accepts an \"organization name\" and a \"username\" from the user, which it uses to query LDAP.\n\nThe first example concatenates the unvalidated and unencoded user input directly into both the DN (Distinguished Name) and the search filter used for the LDAP query. A malicious user could provide special characters to change the meaning of these queries, and search for a completely different set of values. The LDAP query is executed using Java JNDI API.\n\nThe second example uses the OWASP ESAPI library to encode the user values before they are included in the DN and search filters. This ensures the meaning of the query cannot be changed by a malicious user.\n\n\n```java\nimport javax.naming.directory.DirContext;\nimport org.owasp.esapi.Encoder;\nimport org.owasp.esapi.reference.DefaultEncoder;\n\npublic void ldapQueryBad(HttpServletRequest request, DirContext ctx) throws NamingException {\n String organizationName = request.getParameter(\"organization_name\");\n String username = request.getParameter(\"username\");\n\n // BAD: User input used in DN (Distinguished Name) without encoding\n String dn = \"OU=People,O=\" + organizationName;\n\n // BAD: User input used in search filter without encoding\n String filter = \"username=\" + userName;\n\n ctx.search(dn, filter, new SearchControls());\n}\n\npublic void ldapQueryGood(HttpServletRequest request, DirContext ctx) throws NamingException {\n String organizationName = request.getParameter(\"organization_name\");\n String username = request.getParameter(\"username\");\n\n // ESAPI encoder\n Encoder encoder = DefaultEncoder.getInstance();\n\n // GOOD: Organization name is encoded before being used in DN\n String safeOrganizationName = encoder.encodeForDN(organizationName);\n String safeDn = \"OU=People,O=\" + safeOrganizationName;\n\n // GOOD: User input is encoded before being used in search filter\n String safeUsername = encoder.encodeForLDAP(username);\n String safeFilter = \"username=\" + safeUsername;\n \n ctx.search(safeDn, safeFilter, new SearchControls());\n}\n```\nThe third example uses Spring `LdapQueryBuilder` to build an LDAP query. In addition to simplifying the building of complex search parameters, it also provides proper escaping of any unsafe characters in search filters. The DN is built using `LdapNameBuilder`, which also provides proper escaping.\n\n\n```java\nimport static org.springframework.ldap.query.LdapQueryBuilder.query;\nimport org.springframework.ldap.support.LdapNameBuilder;\n\npublic void ldapQueryGood(@RequestParam String organizationName, @RequestParam String username) {\n // GOOD: Organization name is encoded before being used in DN\n String safeDn = LdapNameBuilder.newInstance()\n .add(\"O\", organizationName)\n .add(\"OU=People\")\n .build().toString();\n\n // GOOD: User input is encoded before being used in search filter\n LdapQuery query = query()\n .base(safeDn)\n .where(\"username\").is(username);\n\n ldapTemplate.search(query, new AttributeCheckAttributesMapper());\n}\n```\nThe fourth example uses `UnboundID` classes, `Filter` and `DN`, to construct a safe filter and base DN.\n\n\n```java\nimport com.unboundid.ldap.sdk.LDAPConnection;\nimport com.unboundid.ldap.sdk.DN;\nimport com.unboundid.ldap.sdk.RDN;\nimport com.unboundid.ldap.sdk.Filter;\n\npublic void ldapQueryGood(HttpServletRequest request, LDAPConnection c) {\n String organizationName = request.getParameter(\"organization_name\");\n String username = request.getParameter(\"username\");\n\n // GOOD: Organization name is encoded before being used in DN\n DN safeDn = new DN(new RDN(\"OU\", \"People\"), new RDN(\"O\", organizationName));\n\n // GOOD: User input is encoded before being used in search filter\n Filter safeFilter = Filter.createEqualityFilter(\"username\", username);\n \n c.search(safeDn.toString(), SearchScope.ONE, safeFilter);\n}\n```\nThe fifth example shows how to build a safe filter and DN using the Apache LDAP API.\n\n\n```java\nimport org.apache.directory.ldap.client.api.LdapConnection;\nimport org.apache.directory.api.ldap.model.name.Dn;\nimport org.apache.directory.api.ldap.model.name.Rdn;\nimport org.apache.directory.api.ldap.model.message.SearchRequest;\nimport org.apache.directory.api.ldap.model.message.SearchRequestImpl;\nimport static org.apache.directory.ldap.client.api.search.FilterBuilder.equal;\n\npublic void ldapQueryGood(HttpServletRequest request, LdapConnection c) {\n String organizationName = request.getParameter(\"organization_name\");\n String username = request.getParameter(\"username\");\n\n // GOOD: Organization name is encoded before being used in DN\n Dn safeDn = new Dn(new Rdn(\"OU\", \"People\"), new Rdn(\"O\", organizationName));\n\n // GOOD: User input is encoded before being used in search filter\n String safeFilter = equal(\"username\", username);\n \n SearchRequest searchRequest = new SearchRequestImpl();\n searchRequest.setBase(safeDn);\n searchRequest.setFilter(safeFilter);\n c.search(searchRequest);\n}\n```\n\n## References\n* OWASP: [LDAP Injection Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.html).\n* OWASP ESAPI: [OWASP ESAPI](https://owasp.org/www-project-enterprise-security-api/).\n* Spring LdapQueryBuilder doc: [LdapQueryBuilder](https://docs.spring.io/spring-ldap/docs/current/apidocs/org/springframework/ldap/query/LdapQueryBuilder.html).\n* Spring LdapNameBuilder doc: [LdapNameBuilder](https://docs.spring.io/spring-ldap/docs/current/apidocs/org/springframework/ldap/support/LdapNameBuilder.html).\n* UnboundID: [Understanding and Defending Against LDAP Injection Attacks](https://ldap.com/2018/05/04/understanding-and-defending-against-ldap-injection-attacks/).\n* Common Weakness Enumeration: [CWE-90](https://cwe.mitre.org/data/definitions/90.html).\n", + "markdown": "# LDAP query built from user-controlled sources\nIf an LDAP query is built using string concatenation, and the components of the concatenation include user input, a user is likely to be able to run malicious LDAP queries.\n\n\n## Recommendation\nIf user input must be included in an LDAP query, it should be escaped to avoid a malicious user providing special characters that change the meaning of the query. If possible build the LDAP query using framework helper methods, for example from Spring's `LdapQueryBuilder` and `LdapNameBuilder`, instead of string concatenation. Alternatively, escape user input using an appropriate LDAP encoding method, for example: `encodeForLDAP` or `encodeForDN` from OWASP ESAPI, `LdapEncoder.filterEncode` or `LdapEncoder.nameEncode` from Spring LDAP, or `Filter.encodeValue` from UnboundID library.\n\n\n## Example\nIn the following examples, the code accepts an \"organization name\" and a \"username\" from the user, which it uses to query LDAP.\n\nThe first example concatenates the unvalidated and unencoded user input directly into both the DN (Distinguished Name) and the search filter used for the LDAP query. A malicious user could provide special characters to change the meaning of these queries, and search for a completely different set of values. The LDAP query is executed using Java JNDI API.\n\nThe second example uses the OWASP ESAPI library to encode the user values before they are included in the DN and search filters. This ensures the meaning of the query cannot be changed by a malicious user.\n\n\n```java\nimport javax.naming.directory.DirContext;\nimport org.owasp.esapi.Encoder;\nimport org.owasp.esapi.reference.DefaultEncoder;\n\npublic void ldapQueryBad(HttpServletRequest request, DirContext ctx) throws NamingException {\n String organizationName = request.getParameter(\"organization_name\");\n String username = request.getParameter(\"username\");\n\n // BAD: User input used in DN (Distinguished Name) without encoding\n String dn = \"OU=People,O=\" + organizationName;\n\n // BAD: User input used in search filter without encoding\n String filter = \"username=\" + userName;\n\n ctx.search(dn, filter, new SearchControls());\n}\n\npublic void ldapQueryGood(HttpServletRequest request, DirContext ctx) throws NamingException {\n String organizationName = request.getParameter(\"organization_name\");\n String username = request.getParameter(\"username\");\n\n // ESAPI encoder\n Encoder encoder = DefaultEncoder.getInstance();\n\n // GOOD: Organization name is encoded before being used in DN\n String safeOrganizationName = encoder.encodeForDN(organizationName);\n String safeDn = \"OU=People,O=\" + safeOrganizationName;\n\n // GOOD: User input is encoded before being used in search filter\n String safeUsername = encoder.encodeForLDAP(username);\n String safeFilter = \"username=\" + safeUsername;\n \n ctx.search(safeDn, safeFilter, new SearchControls());\n}\n```\nThe third example uses Spring `LdapQueryBuilder` to build an LDAP query. In addition to simplifying the building of complex search parameters, it also provides proper escaping of any unsafe characters in search filters. The DN is built using `LdapNameBuilder`, which also provides proper escaping.\n\n\n```java\nimport static org.springframework.ldap.query.LdapQueryBuilder.query;\nimport org.springframework.ldap.support.LdapNameBuilder;\n\npublic void ldapQueryGood(@RequestParam String organizationName, @RequestParam String username) {\n // GOOD: Organization name is encoded before being used in DN\n String safeDn = LdapNameBuilder.newInstance()\n .add(\"O\", organizationName)\n .add(\"OU=People\")\n .build().toString();\n\n // GOOD: User input is encoded before being used in search filter\n LdapQuery query = query()\n .base(safeDn)\n .where(\"username\").is(username);\n\n ldapTemplate.search(query, new AttributeCheckAttributesMapper());\n}\n```\nThe fourth example uses `UnboundID` classes, `Filter` and `DN`, to construct a safe filter and base DN.\n\n\n```java\nimport com.unboundid.ldap.sdk.LDAPConnection;\nimport com.unboundid.ldap.sdk.DN;\nimport com.unboundid.ldap.sdk.RDN;\nimport com.unboundid.ldap.sdk.Filter;\n\npublic void ldapQueryGood(HttpServletRequest request, LDAPConnection c) {\n String organizationName = request.getParameter(\"organization_name\");\n String username = request.getParameter(\"username\");\n\n // GOOD: Organization name is encoded before being used in DN\n DN safeDn = new DN(new RDN(\"OU\", \"People\"), new RDN(\"O\", organizationName));\n\n // GOOD: User input is encoded before being used in search filter\n Filter safeFilter = Filter.createEqualityFilter(\"username\", username);\n \n c.search(safeDn.toString(), SearchScope.ONE, safeFilter);\n}\n```\nThe fifth example shows how to build a safe filter and DN using the Apache LDAP API.\n\n\n```java\nimport org.apache.directory.ldap.client.api.LdapConnection;\nimport org.apache.directory.api.ldap.model.name.Dn;\nimport org.apache.directory.api.ldap.model.name.Rdn;\nimport org.apache.directory.api.ldap.model.message.SearchRequest;\nimport org.apache.directory.api.ldap.model.message.SearchRequestImpl;\nimport static org.apache.directory.ldap.client.api.search.FilterBuilder.equal;\n\npublic void ldapQueryGood(HttpServletRequest request, LdapConnection c) {\n String organizationName = request.getParameter(\"organization_name\");\n String username = request.getParameter(\"username\");\n\n // GOOD: Organization name is encoded before being used in DN\n Dn safeDn = new Dn(new Rdn(\"OU\", \"People\"), new Rdn(\"O\", organizationName));\n\n // GOOD: User input is encoded before being used in search filter\n String safeFilter = equal(\"username\", username);\n \n SearchRequest searchRequest = new SearchRequestImpl();\n searchRequest.setBase(safeDn);\n searchRequest.setFilter(safeFilter);\n c.search(searchRequest);\n}\n```\n\n## References\n* OWASP: [LDAP Injection Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.html).\n* OWASP ESAPI: [OWASP ESAPI](https://owasp.org/www-project-enterprise-security-api/).\n* Spring LdapQueryBuilder doc: [LdapQueryBuilder](https://docs.spring.io/spring-ldap/docs/current/apidocs/org/springframework/ldap/query/LdapQueryBuilder.html).\n* Spring LdapNameBuilder doc: [LdapNameBuilder](https://docs.spring.io/spring-ldap/docs/current/apidocs/org/springframework/ldap/support/LdapNameBuilder.html).\n* UnboundID: [Understanding and Defending Against LDAP Injection Attacks](https://ldap.com/2018/05/04/understanding-and-defending-against-ldap-injection-attacks/).\n* Common Weakness Enumeration: [CWE-90](https://cwe.mitre.org/data/definitions/90.html).\n" + }, + "properties": { + "tags": [ + "external/cwe/cwe-090", + "security" + ], + "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-090/LdapInjection.ql", + "precision": "high", + "security-severity": "9.8" + } + }, + { + "id": "java/maven/dependency-upon-bintray", + "name": "java/maven/dependency-upon-bintray", + "shortDescription": { + "text": "Depending upon JCenter/Bintray as an artifact repository" + }, + "fullDescription": { + "text": "Using a deprecated artifact repository may eventually give attackers access for a supply chain attack." + }, + "defaultConfiguration": { + "level": "error" + }, + "help": { + "text": "# Depending upon JCenter/Bintray as an artifact repository\n[Bintray and JCenter are shutting down on February 1st, 2022](https://jfrog.com/blog/into-the-sunset-bintray-jcenter-gocenter-and-chartcenter/). Relying upon repositories that are deprecated or scheduled to be shutdown can have unintended consequences; for example, artifacts being resolved from a different artifact server or a total failure of the CI build.\n\nWhen artifact repositories are left unmaintained for a long period of time, vulnerabilities may emerge. Theoretically, this could allow attackers to inject malicious code into the artifacts that you are resolving and infect build artifacts that are being produced. This can be used by attackers to perform a [supply chain attack](https://en.wikipedia.org/wiki/Supply_chain_attack) against your project's users.\n\n\n## Recommendation\nAlways use the canonical repository for resolving your dependencies.\n\n\n## Example\nThe following example shows locations in a Maven POM file where artifact repository upload/download is configured. The use of Bintray in any of these locations is not advised.\n\n\n```xml\n\n\n\n 4.0.0\n\n com.semmle\n parent\n 1.0\n pom\n\n Bintray Usage\n An example of using bintray to download and upload dependencies\n\n \n \n jcenter\n JCenter\n \n https://jcenter.bintray.com\n \n \n jcenter-snapshots\n JCenter\n \n https://jcenter.bintray.com\n \n \n \n \n jcenter\n JCenter\n \n https://jcenter.bintray.com\n \n \n \n \n jcenter\n JCenter\n \n https://dl.bintray.com/groovy/maven\n \n \n \n \n jcenter-plugins\n JCenter\n \n https://jcenter.bintray.com\n \n \n\n\n```\n\n## References\n* JFrog blog: [ Into the Sunset on May 1st: Bintray, JCenter, GoCenter, and ChartCenter ](https://jfrog.com/blog/into-the-sunset-bintray-jcenter-gocenter-and-chartcenter/)\n* Common Weakness Enumeration: [CWE-1104](https://cwe.mitre.org/data/definitions/1104.html).\n", + "markdown": "# Depending upon JCenter/Bintray as an artifact repository\n[Bintray and JCenter are shutting down on February 1st, 2022](https://jfrog.com/blog/into-the-sunset-bintray-jcenter-gocenter-and-chartcenter/). Relying upon repositories that are deprecated or scheduled to be shutdown can have unintended consequences; for example, artifacts being resolved from a different artifact server or a total failure of the CI build.\n\nWhen artifact repositories are left unmaintained for a long period of time, vulnerabilities may emerge. Theoretically, this could allow attackers to inject malicious code into the artifacts that you are resolving and infect build artifacts that are being produced. This can be used by attackers to perform a [supply chain attack](https://en.wikipedia.org/wiki/Supply_chain_attack) against your project's users.\n\n\n## Recommendation\nAlways use the canonical repository for resolving your dependencies.\n\n\n## Example\nThe following example shows locations in a Maven POM file where artifact repository upload/download is configured. The use of Bintray in any of these locations is not advised.\n\n\n```xml\n\n\n\n 4.0.0\n\n com.semmle\n parent\n 1.0\n pom\n\n Bintray Usage\n An example of using bintray to download and upload dependencies\n\n \n \n jcenter\n JCenter\n \n https://jcenter.bintray.com\n \n \n jcenter-snapshots\n JCenter\n \n https://jcenter.bintray.com\n \n \n \n \n jcenter\n JCenter\n \n https://jcenter.bintray.com\n \n \n \n \n jcenter\n JCenter\n \n https://dl.bintray.com/groovy/maven\n \n \n \n \n jcenter-plugins\n JCenter\n \n https://jcenter.bintray.com\n \n \n\n\n```\n\n## References\n* JFrog blog: [ Into the Sunset on May 1st: Bintray, JCenter, GoCenter, and ChartCenter ](https://jfrog.com/blog/into-the-sunset-bintray-jcenter-gocenter-and-chartcenter/)\n* Common Weakness Enumeration: [CWE-1104](https://cwe.mitre.org/data/definitions/1104.html).\n" + }, + "properties": { + "tags": [ + "external/cwe/cwe-1104", + "security" + ], + "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-1104/MavenPomDependsOnBintray.ql", + "precision": "very-high", + "security-severity": "6.5" + } + }, + { + "id": "java/maven/non-https-url", + "name": "java/maven/non-https-url", + "shortDescription": { + "text": "Failure to use HTTPS or SFTP URL in Maven artifact upload/download" + }, + "fullDescription": { + "text": "Non-HTTPS connections can be intercepted by third parties." + }, + "defaultConfiguration": { + "level": "error" + }, + "help": { + "text": "# Failure to use HTTPS or SFTP URL in Maven artifact upload/download\nUsing an insecure protocol like HTTP or FTP to download your dependencies leaves your Maven build vulnerable to a [Man in the Middle (MITM)](https://en.wikipedia.org/wiki/Man-in-the-middle_attack). This can allow attackers to inject malicious code into the artifacts that you are resolving and infect build artifacts that are being produced. This can be used by attackers to perform a [Supply chain attack](https://en.wikipedia.org/wiki/Supply_chain_attack) against your project's users.\n\nThis vulnerability has a [ CVSS v3.1 base score of 8.1/10 ](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H&version=3.1).\n\n\n## Recommendation\nAlways use HTTPS or SFTP to download artifacts from artifact servers.\n\n\n## Example\nThese examples show examples of locations in Maven POM files where artifact repository upload/download is configured. The first shows the use of HTTP, the second shows the use of HTTPS.\n\n\n```xml\n\n\n\n 4.0.0\n\n com.semmle\n parent\n 1.0\n pom\n\n Security Testing\n An example of insecure download and upload of dependencies\n\n \n \n insecure-releases\n Insecure Repository Releases\n \n http://insecure-repository.example\n \n \n insecure-snapshots\n Insecure Repository Snapshots\n \n http://insecure-repository.example\n \n \n \n \n insecure\n Insecure Repository\n \n http://insecure-repository.example\n \n \n \n \n insecure-plugins\n Insecure Repository Releases\n \n http://insecure-repository.example\n \n \n\n\n```\n\n```xml\n\n\n\n 4.0.0\n\n com.semmle\n parent\n 1.0\n pom\n\n Security Testing\n An example of secure download and upload of dependencies\n\n \n \n insecure-releases\n Secure Repository Releases\n \n https://insecure-repository.example\n \n \n insecure-snapshots\n Secure Repository Snapshots\n \n https://insecure-repository.example\n \n \n \n \n insecure\n Secure Repository\n \n https://insecure-repository.example\n \n \n \n \n insecure-plugins\n Secure Repository Releases\n \n https://insecure-repository.example\n \n \n\n\n```\n\n## References\n* Research: [ Want to take over the Java ecosystem? All you need is a MITM! ](https://medium.com/bugbountywriteup/want-to-take-over-the-java-ecosystem-all-you-need-is-a-mitm-1fc329d898fb?source=friends_link&sk=3c99970c55a899ad9ef41f126efcde0e)\n* Research: [ How to take over the computer of any Java (or Closure or Scala) Developer. ](https://max.computer/blog/how-to-take-over-the-computer-of-any-java-or-clojure-or-scala-developer/)\n* Proof of Concept: [ mveytsman/dilettante ](https://github.com/mveytsman/dilettante)\n* Additional Gradle & Maven plugin: [ Announcing nohttp ](https://spring.io/blog/2019/06/10/announcing-nohttp)\n* Java Ecosystem Announcement: [ HTTP Decommission Artifact Server Announcements ](https://gist.github.com/JLLeitschuh/789e49e3d34092a005031a0a1880af99)\n* Common Weakness Enumeration: [CWE-300](https://cwe.mitre.org/data/definitions/300.html).\n* Common Weakness Enumeration: [CWE-319](https://cwe.mitre.org/data/definitions/319.html).\n* Common Weakness Enumeration: [CWE-494](https://cwe.mitre.org/data/definitions/494.html).\n* Common Weakness Enumeration: [CWE-829](https://cwe.mitre.org/data/definitions/829.html).\n", + "markdown": "# Failure to use HTTPS or SFTP URL in Maven artifact upload/download\nUsing an insecure protocol like HTTP or FTP to download your dependencies leaves your Maven build vulnerable to a [Man in the Middle (MITM)](https://en.wikipedia.org/wiki/Man-in-the-middle_attack). This can allow attackers to inject malicious code into the artifacts that you are resolving and infect build artifacts that are being produced. This can be used by attackers to perform a [Supply chain attack](https://en.wikipedia.org/wiki/Supply_chain_attack) against your project's users.\n\nThis vulnerability has a [ CVSS v3.1 base score of 8.1/10 ](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H&version=3.1).\n\n\n## Recommendation\nAlways use HTTPS or SFTP to download artifacts from artifact servers.\n\n\n## Example\nThese examples show examples of locations in Maven POM files where artifact repository upload/download is configured. The first shows the use of HTTP, the second shows the use of HTTPS.\n\n\n```xml\n\n\n\n 4.0.0\n\n com.semmle\n parent\n 1.0\n pom\n\n Security Testing\n An example of insecure download and upload of dependencies\n\n \n \n insecure-releases\n Insecure Repository Releases\n \n http://insecure-repository.example\n \n \n insecure-snapshots\n Insecure Repository Snapshots\n \n http://insecure-repository.example\n \n \n \n \n insecure\n Insecure Repository\n \n http://insecure-repository.example\n \n \n \n \n insecure-plugins\n Insecure Repository Releases\n \n http://insecure-repository.example\n \n \n\n\n```\n\n```xml\n\n\n\n 4.0.0\n\n com.semmle\n parent\n 1.0\n pom\n\n Security Testing\n An example of secure download and upload of dependencies\n\n \n \n insecure-releases\n Secure Repository Releases\n \n https://insecure-repository.example\n \n \n insecure-snapshots\n Secure Repository Snapshots\n \n https://insecure-repository.example\n \n \n \n \n insecure\n Secure Repository\n \n https://insecure-repository.example\n \n \n \n \n insecure-plugins\n Secure Repository Releases\n \n https://insecure-repository.example\n \n \n\n\n```\n\n## References\n* Research: [ Want to take over the Java ecosystem? All you need is a MITM! ](https://medium.com/bugbountywriteup/want-to-take-over-the-java-ecosystem-all-you-need-is-a-mitm-1fc329d898fb?source=friends_link&sk=3c99970c55a899ad9ef41f126efcde0e)\n* Research: [ How to take over the computer of any Java (or Closure or Scala) Developer. ](https://max.computer/blog/how-to-take-over-the-computer-of-any-java-or-clojure-or-scala-developer/)\n* Proof of Concept: [ mveytsman/dilettante ](https://github.com/mveytsman/dilettante)\n* Additional Gradle & Maven plugin: [ Announcing nohttp ](https://spring.io/blog/2019/06/10/announcing-nohttp)\n* Java Ecosystem Announcement: [ HTTP Decommission Artifact Server Announcements ](https://gist.github.com/JLLeitschuh/789e49e3d34092a005031a0a1880af99)\n* Common Weakness Enumeration: [CWE-300](https://cwe.mitre.org/data/definitions/300.html).\n* Common Weakness Enumeration: [CWE-319](https://cwe.mitre.org/data/definitions/319.html).\n* Common Weakness Enumeration: [CWE-494](https://cwe.mitre.org/data/definitions/494.html).\n* Common Weakness Enumeration: [CWE-829](https://cwe.mitre.org/data/definitions/829.html).\n" + }, + "properties": { + "tags": [ + "external/cwe/cwe-300", + "external/cwe/cwe-319", + "external/cwe/cwe-494", + "external/cwe/cwe-829", + "security" + ], + "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-829/InsecureDependencyResolution.ql", + "precision": "very-high", + "security-severity": "8.1" + } + }, + { + "id": "java/missing-jwt-signature-check", + "name": "java/missing-jwt-signature-check", + "shortDescription": { + "text": "Missing JWT signature check" + }, + "fullDescription": { + "text": "Failing to check the Json Web Token (JWT) signature may allow an attacker to forge their own tokens." + }, + "defaultConfiguration": { + "level": "error" + }, + "help": { + "text": "# Missing JWT signature check\nA JSON Web Token (JWT) consists of three parts: header, payload, and signature. The `io.jsonwebtoken.jjwt` library is one of many libraries used for working with JWTs. It offers different methods for parsing tokens like `parse`, `parseClaimsJws`, and `parsePlaintextJws`. The last two correctly verify that the JWT is properly signed. This is done by computing the signature of the combination of header and payload and comparing the locally computed signature with the signature part of the JWT.\n\nTherefore it is necessary to provide the `JwtParser` with a key that is used for signature validation. Unfortunately the `parse` method **accepts** a JWT whose signature is empty although a signing key has been set for the parser. This means that an attacker can create arbitrary JWTs that will be accepted if this method is used.\n\n\n## Recommendation\nAlways verify the signature by using either the `parseClaimsJws` and `parsePlaintextJws` methods or by overriding the `onPlaintextJws` or `onClaimsJws` of `JwtHandlerAdapter`.\n\n\n## Example\nThe following example shows four cases where a signing key is set for a parser. In the first 'BAD' case the `parse` method is used, which will not validate the signature. The second 'BAD' case uses a `JwtHandlerAdapter` where the `onPlaintextJwt` method is overriden, so it will not validate the signature. The third and fourth 'GOOD' cases use `parseClaimsJws` method or override the `onPlaintextJws` method.\n\n\n```java\npublic void badJwt(String token) {\n Jwts.parserBuilder()\n .setSigningKey(\"someBase64EncodedKey\").build()\n .parse(token); // BAD: Does not verify the signature\n}\n\npublic void badJwtHandler(String token) {\n Jwts.parserBuilder()\n .setSigningKey(\"someBase64EncodedKey\").build()\n .parse(plaintextJwt, new JwtHandlerAdapter>() {\n @Override\n public Jwt onPlaintextJwt(Jwt jwt) {\n return jwt;\n }\n }); // BAD: The handler is called on an unverified JWT\n}\n\npublic void goodJwt(String token) {\n Jwts.parserBuilder()\n .setSigningKey(\"someBase64EncodedKey\").build()\n .parseClaimsJws(token) // GOOD: Verify the signature\n .getBody();\n}\n\npublic void goodJwtHandler(String token) {\n Jwts.parserBuilder()\n .setSigningKey(\"someBase64EncodedKey\").build()\n .parse(plaintextJwt, new JwtHandlerAdapter>() {\n @Override\n public Jws onPlaintextJws(Jws jws) {\n return jws;\n }\n }); // GOOD: The handler is called on a verified JWS\n}\n```\n\n## References\n* zofrex: [How I Found An alg=none JWT Vulnerability in the NHS Contact Tracing App](https://www.zofrex.com/blog/2020/10/20/alg-none-jwt-nhs-contact-tracing-app/).\n* Common Weakness Enumeration: [CWE-347](https://cwe.mitre.org/data/definitions/347.html).\n", + "markdown": "# Missing JWT signature check\nA JSON Web Token (JWT) consists of three parts: header, payload, and signature. The `io.jsonwebtoken.jjwt` library is one of many libraries used for working with JWTs. It offers different methods for parsing tokens like `parse`, `parseClaimsJws`, and `parsePlaintextJws`. The last two correctly verify that the JWT is properly signed. This is done by computing the signature of the combination of header and payload and comparing the locally computed signature with the signature part of the JWT.\n\nTherefore it is necessary to provide the `JwtParser` with a key that is used for signature validation. Unfortunately the `parse` method **accepts** a JWT whose signature is empty although a signing key has been set for the parser. This means that an attacker can create arbitrary JWTs that will be accepted if this method is used.\n\n\n## Recommendation\nAlways verify the signature by using either the `parseClaimsJws` and `parsePlaintextJws` methods or by overriding the `onPlaintextJws` or `onClaimsJws` of `JwtHandlerAdapter`.\n\n\n## Example\nThe following example shows four cases where a signing key is set for a parser. In the first 'BAD' case the `parse` method is used, which will not validate the signature. The second 'BAD' case uses a `JwtHandlerAdapter` where the `onPlaintextJwt` method is overriden, so it will not validate the signature. The third and fourth 'GOOD' cases use `parseClaimsJws` method or override the `onPlaintextJws` method.\n\n\n```java\npublic void badJwt(String token) {\n Jwts.parserBuilder()\n .setSigningKey(\"someBase64EncodedKey\").build()\n .parse(token); // BAD: Does not verify the signature\n}\n\npublic void badJwtHandler(String token) {\n Jwts.parserBuilder()\n .setSigningKey(\"someBase64EncodedKey\").build()\n .parse(plaintextJwt, new JwtHandlerAdapter>() {\n @Override\n public Jwt onPlaintextJwt(Jwt jwt) {\n return jwt;\n }\n }); // BAD: The handler is called on an unverified JWT\n}\n\npublic void goodJwt(String token) {\n Jwts.parserBuilder()\n .setSigningKey(\"someBase64EncodedKey\").build()\n .parseClaimsJws(token) // GOOD: Verify the signature\n .getBody();\n}\n\npublic void goodJwtHandler(String token) {\n Jwts.parserBuilder()\n .setSigningKey(\"someBase64EncodedKey\").build()\n .parse(plaintextJwt, new JwtHandlerAdapter>() {\n @Override\n public Jws onPlaintextJws(Jws jws) {\n return jws;\n }\n }); // GOOD: The handler is called on a verified JWS\n}\n```\n\n## References\n* zofrex: [How I Found An alg=none JWT Vulnerability in the NHS Contact Tracing App](https://www.zofrex.com/blog/2020/10/20/alg-none-jwt-nhs-contact-tracing-app/).\n* Common Weakness Enumeration: [CWE-347](https://cwe.mitre.org/data/definitions/347.html).\n" + }, + "properties": { + "tags": [ + "external/cwe/cwe-347", + "security" + ], + "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-347/MissingJWTSignatureCheck.ql", + "precision": "high", + "security-severity": "7.8" + } + }, + { + "id": "java/mvel-expression-injection", + "name": "java/mvel-expression-injection", + "shortDescription": { + "text": "Expression language injection (MVEL)" + }, + "fullDescription": { + "text": "Evaluation of a user-controlled MVEL expression may lead to remote code execution." + }, + "defaultConfiguration": { + "level": "error" + }, + "help": { + "text": "# Expression language injection (MVEL)\nMVEL is an expression language based on Java-syntax, which offers many features including invocation of methods available in the JVM. If a MVEL expression is built using attacker-controlled data, and then evaluated, then it may allow attackers to run arbitrary code.\n\n\n## Recommendation\nIncluding user input in a MVEL expression should be avoided.\n\n\n## Example\nIn the following sample, the first example uses untrusted data to build a MVEL expression and then runs it in the default context. In the second example, the untrusted data is validated with a custom method that checks that the expression does not contain unexpected code before evaluating it.\n\n\n```java\npublic void evaluate(Socket socket) throws IOException {\n try (BufferedReader reader = new BufferedReader(\n new InputStreamReader(socket.getInputStream()))) {\n \n String expression = reader.readLine();\n // BAD: the user-provided expression is directly evaluated\n MVEL.eval(expression);\n }\n}\n\npublic void safeEvaluate(Socket socket) throws IOException {\n try (BufferedReader reader = new BufferedReader(\n new InputStreamReader(socket.getInputStream()))) {\n \n String expression = reader.readLine();\n // GOOD: the user-provided expression is validated before evaluation\n validateExpression(expression);\n MVEL.eval(expression);\n }\n}\n\nprivate void validateExpression(String expression) {\n // Validate that the expression does not contain unexpected code.\n // For instance, this can be done with allow-lists or deny-lists of code patterns.\n}\n```\n\n## References\n* MVEL Documentation: [Language Guide for 2.0](http://mvel.documentnode.com/).\n* OWASP: [Expression Language Injection](https://owasp.org/www-community/vulnerabilities/Expression_Language_Injection).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n", + "markdown": "# Expression language injection (MVEL)\nMVEL is an expression language based on Java-syntax, which offers many features including invocation of methods available in the JVM. If a MVEL expression is built using attacker-controlled data, and then evaluated, then it may allow attackers to run arbitrary code.\n\n\n## Recommendation\nIncluding user input in a MVEL expression should be avoided.\n\n\n## Example\nIn the following sample, the first example uses untrusted data to build a MVEL expression and then runs it in the default context. In the second example, the untrusted data is validated with a custom method that checks that the expression does not contain unexpected code before evaluating it.\n\n\n```java\npublic void evaluate(Socket socket) throws IOException {\n try (BufferedReader reader = new BufferedReader(\n new InputStreamReader(socket.getInputStream()))) {\n \n String expression = reader.readLine();\n // BAD: the user-provided expression is directly evaluated\n MVEL.eval(expression);\n }\n}\n\npublic void safeEvaluate(Socket socket) throws IOException {\n try (BufferedReader reader = new BufferedReader(\n new InputStreamReader(socket.getInputStream()))) {\n \n String expression = reader.readLine();\n // GOOD: the user-provided expression is validated before evaluation\n validateExpression(expression);\n MVEL.eval(expression);\n }\n}\n\nprivate void validateExpression(String expression) {\n // Validate that the expression does not contain unexpected code.\n // For instance, this can be done with allow-lists or deny-lists of code patterns.\n}\n```\n\n## References\n* MVEL Documentation: [Language Guide for 2.0](http://mvel.documentnode.com/).\n* OWASP: [Expression Language Injection](https://owasp.org/www-community/vulnerabilities/Expression_Language_Injection).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n" + }, + "properties": { + "tags": [ + "external/cwe/cwe-094", + "security" + ], + "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-094/MvelInjection.ql", + "precision": "high", + "security-severity": "9.3" + } + }, + { + "id": "java/netty-http-request-or-response-splitting", + "name": "java/netty-http-request-or-response-splitting", + "shortDescription": { + "text": "Disabled Netty HTTP header validation" + }, + "fullDescription": { + "text": "Disabling HTTP header validation makes code vulnerable to attack by header splitting if user input is written directly to an HTTP header." + }, + "defaultConfiguration": { + "level": "error" + }, + "help": { + "text": "# Disabled Netty HTTP header validation\nDirectly writing user input (for example, an HTTP request parameter) to an HTTP header can lead to an HTTP request-splitting or response-splitting vulnerability.\n\nHTTP response splitting can lead to vulnerabilities such as XSS and cache poisoning.\n\nHTTP request splitting can allow an attacker to inject an additional HTTP request into a client's outgoing socket connection. This can allow an attacker to perform an SSRF-like attack.\n\nIn the context of a servlet container, if the user input includes blank lines and the servlet container does not escape the blank lines, then a remote user can cause the response to turn into two separate responses. The remote user can then control one or more responses, which is also HTTP response splitting.\n\n\n## Recommendation\nGuard against HTTP header splitting in the same way as guarding against cross-site scripting. Before passing any data into HTTP headers, either check the data for special characters, or escape any special characters that are present.\n\nIf the code calls Netty API's directly, ensure that the `validateHeaders` parameter is set to `true`.\n\n\n## Example\nThe following example shows the 'name' parameter being written to a cookie in two different ways. The first way writes it directly to the cookie, and thus is vulnerable to response-splitting attacks. The second way first removes all special characters, thus avoiding the potential problem.\n\n\n```java\npublic class ResponseSplitting extends HttpServlet {\n\tprotected void doGet(HttpServletRequest request, HttpServletResponse response)\n\tthrows ServletException, IOException {\n\t\t// BAD: setting a cookie with an unvalidated parameter\n\t\tCookie cookie = new Cookie(\"name\", request.getParameter(\"name\"));\n\t\tresponse.addCookie(cookie);\n\n\t\t// GOOD: remove special characters before putting them in the header\n\t\tString name = removeSpecial(request.getParameter(\"name\"));\n\t\tCookie cookie2 = new Cookie(\"name\", name);\n\t\tresponse.addCookie(cookie2);\n\t}\n\n\tprivate static String removeSpecial(String str) {\n\t\treturn str.replaceAll(\"[^a-zA-Z ]\", \"\");\n\t}\n}\n\n```\n\n## Example\nThe following example shows the use of the library 'netty' with HTTP response-splitting verification configurations. The second way will verify the parameters before using them to build the HTTP response.\n\n\n```java\nimport io.netty.handler.codec.http.DefaultHttpHeaders;\n\npublic class ResponseSplitting {\n // BAD: Disables the internal response splitting verification\n private final DefaultHttpHeaders badHeaders = new DefaultHttpHeaders(false);\n\n // GOOD: Verifies headers passed don't contain CRLF characters\n private final DefaultHttpHeaders goodHeaders = new DefaultHttpHeaders();\n\n // BAD: Disables the internal response splitting verification\n private final DefaultHttpResponse badResponse = new DefaultHttpResponse(version, httpResponseStatus, false);\n\n // GOOD: Verifies headers passed don't contain CRLF characters\n private final DefaultHttpResponse goodResponse = new DefaultHttpResponse(version, httpResponseStatus);\n}\n\n```\n\n## Example\nThe following example shows the use of the netty library with configurations for verification of HTTP request splitting. The second recommended approach in the example verifies the parameters before using them to build the HTTP request.\n\n\n```java\npublic class NettyRequestSplitting {\n // BAD: Disables the internal request splitting verification\n private final DefaultHttpHeaders badHeaders = new DefaultHttpHeaders(false);\n\n // GOOD: Verifies headers passed don't contain CRLF characters\n private final DefaultHttpHeaders goodHeaders = new DefaultHttpHeaders();\n\n // BAD: Disables the internal request splitting verification\n private final DefaultHttpRequest badRequest = new DefaultHttpRequest(httpVersion, method, uri, false);\n\n // GOOD: Verifies headers passed don't contain CRLF characters\n private final DefaultHttpRequest goodResponse = new DefaultHttpRequest(httpVersion, method, uri);\n}\n\n```\n\n## References\n* SecLists.org: [HTTP response splitting](https://seclists.org/bugtraq/2005/Apr/187).\n* OWASP: [HTTP Response Splitting](https://www.owasp.org/index.php/HTTP_Response_Splitting).\n* Wikipedia: [HTTP response splitting](http://en.wikipedia.org/wiki/HTTP_response_splitting).\n* CAPEC: [CAPEC-105: HTTP Request Splitting](https://capec.mitre.org/data/definitions/105.html)\n* Common Weakness Enumeration: [CWE-93](https://cwe.mitre.org/data/definitions/93.html).\n* Common Weakness Enumeration: [CWE-113](https://cwe.mitre.org/data/definitions/113.html).\n", + "markdown": "# Disabled Netty HTTP header validation\nDirectly writing user input (for example, an HTTP request parameter) to an HTTP header can lead to an HTTP request-splitting or response-splitting vulnerability.\n\nHTTP response splitting can lead to vulnerabilities such as XSS and cache poisoning.\n\nHTTP request splitting can allow an attacker to inject an additional HTTP request into a client's outgoing socket connection. This can allow an attacker to perform an SSRF-like attack.\n\nIn the context of a servlet container, if the user input includes blank lines and the servlet container does not escape the blank lines, then a remote user can cause the response to turn into two separate responses. The remote user can then control one or more responses, which is also HTTP response splitting.\n\n\n## Recommendation\nGuard against HTTP header splitting in the same way as guarding against cross-site scripting. Before passing any data into HTTP headers, either check the data for special characters, or escape any special characters that are present.\n\nIf the code calls Netty API's directly, ensure that the `validateHeaders` parameter is set to `true`.\n\n\n## Example\nThe following example shows the 'name' parameter being written to a cookie in two different ways. The first way writes it directly to the cookie, and thus is vulnerable to response-splitting attacks. The second way first removes all special characters, thus avoiding the potential problem.\n\n\n```java\npublic class ResponseSplitting extends HttpServlet {\n\tprotected void doGet(HttpServletRequest request, HttpServletResponse response)\n\tthrows ServletException, IOException {\n\t\t// BAD: setting a cookie with an unvalidated parameter\n\t\tCookie cookie = new Cookie(\"name\", request.getParameter(\"name\"));\n\t\tresponse.addCookie(cookie);\n\n\t\t// GOOD: remove special characters before putting them in the header\n\t\tString name = removeSpecial(request.getParameter(\"name\"));\n\t\tCookie cookie2 = new Cookie(\"name\", name);\n\t\tresponse.addCookie(cookie2);\n\t}\n\n\tprivate static String removeSpecial(String str) {\n\t\treturn str.replaceAll(\"[^a-zA-Z ]\", \"\");\n\t}\n}\n\n```\n\n## Example\nThe following example shows the use of the library 'netty' with HTTP response-splitting verification configurations. The second way will verify the parameters before using them to build the HTTP response.\n\n\n```java\nimport io.netty.handler.codec.http.DefaultHttpHeaders;\n\npublic class ResponseSplitting {\n // BAD: Disables the internal response splitting verification\n private final DefaultHttpHeaders badHeaders = new DefaultHttpHeaders(false);\n\n // GOOD: Verifies headers passed don't contain CRLF characters\n private final DefaultHttpHeaders goodHeaders = new DefaultHttpHeaders();\n\n // BAD: Disables the internal response splitting verification\n private final DefaultHttpResponse badResponse = new DefaultHttpResponse(version, httpResponseStatus, false);\n\n // GOOD: Verifies headers passed don't contain CRLF characters\n private final DefaultHttpResponse goodResponse = new DefaultHttpResponse(version, httpResponseStatus);\n}\n\n```\n\n## Example\nThe following example shows the use of the netty library with configurations for verification of HTTP request splitting. The second recommended approach in the example verifies the parameters before using them to build the HTTP request.\n\n\n```java\npublic class NettyRequestSplitting {\n // BAD: Disables the internal request splitting verification\n private final DefaultHttpHeaders badHeaders = new DefaultHttpHeaders(false);\n\n // GOOD: Verifies headers passed don't contain CRLF characters\n private final DefaultHttpHeaders goodHeaders = new DefaultHttpHeaders();\n\n // BAD: Disables the internal request splitting verification\n private final DefaultHttpRequest badRequest = new DefaultHttpRequest(httpVersion, method, uri, false);\n\n // GOOD: Verifies headers passed don't contain CRLF characters\n private final DefaultHttpRequest goodResponse = new DefaultHttpRequest(httpVersion, method, uri);\n}\n\n```\n\n## References\n* SecLists.org: [HTTP response splitting](https://seclists.org/bugtraq/2005/Apr/187).\n* OWASP: [HTTP Response Splitting](https://www.owasp.org/index.php/HTTP_Response_Splitting).\n* Wikipedia: [HTTP response splitting](http://en.wikipedia.org/wiki/HTTP_response_splitting).\n* CAPEC: [CAPEC-105: HTTP Request Splitting](https://capec.mitre.org/data/definitions/105.html)\n* Common Weakness Enumeration: [CWE-93](https://cwe.mitre.org/data/definitions/93.html).\n* Common Weakness Enumeration: [CWE-113](https://cwe.mitre.org/data/definitions/113.html).\n" + }, + "properties": { + "tags": [ + "external/cwe/cwe-113", + "external/cwe/cwe-93", + "security" + ], + "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-113/NettyResponseSplitting.ql", + "precision": "high", + "security-severity": "6.1" + } + }, + { + "id": "java/ognl-injection", + "name": "java/ognl-injection", + "shortDescription": { + "text": "OGNL Expression Language statement with user-controlled input" + }, + "fullDescription": { + "text": "Evaluation of OGNL Expression Language statement with user-controlled input can lead to execution of arbitrary code." + }, + "defaultConfiguration": { + "level": "error" + }, + "help": { + "text": "# OGNL Expression Language statement with user-controlled input\nObject-Graph Navigation Language (OGNL) is an open-source Expression Language (EL) for Java. OGNL can create or change executable code, consequently it can introduce critical security flaws to any application that uses it. Evaluation of unvalidated expressions is a common flaw in OGNL. This exposes the properties of Java objects to modification by an attacker and may allow them to execute arbitrary code.\n\n\n## Recommendation\nThe general recommendation is to avoid evaluating untrusted ONGL expressions. If user-provided OGNL expressions must be evaluated, do this in a sandbox and validate the expressions before evaluation.\n\n\n## Example\nIn the following examples, the code accepts an OGNL expression from the user and evaluates it.\n\nIn the first example, the user-provided OGNL expression is parsed and evaluated.\n\nThe second example validates the expression and evaluates it inside a sandbox. You can add a sandbox by setting a system property, as shown in the example, or by adding `-Dognl.security.manager` to JVM arguments.\n\n\n```java\nimport ognl.Ognl;\nimport ognl.OgnlException;\n\npublic void evaluate(HttpServletRequest request, Object root) throws OgnlException {\n String expression = request.getParameter(\"expression\");\n\n // BAD: User provided expression is evaluated\n Ognl.getValue(expression, root);\n \n // GOOD: The name is validated and expression is evaluated in sandbox\n System.setProperty(\"ognl.security.manager\", \"\"); // Or add -Dognl.security.manager to JVM args\n if (isValid(expression)) {\n Ognl.getValue(expression, root);\n } else {\n // Reject the request\n }\n}\n\npublic void isValid(Strig expression) {\n // Custom method to validate the expression.\n // For instance, make sure it doesn't include unexpected code.\n}\n\n```\n\n## References\n* Apache Commons: [Apache Commons OGNL](https://commons.apache.org/proper/commons-ognl/).\n* Struts security: [Proactively protect from OGNL Expression Injections attacks](https://struts.apache.org/security/#proactively-protect-from-ognl-expression-injections-attacks-if-easily-applicable).\n* Common Weakness Enumeration: [CWE-917](https://cwe.mitre.org/data/definitions/917.html).\n", + "markdown": "# OGNL Expression Language statement with user-controlled input\nObject-Graph Navigation Language (OGNL) is an open-source Expression Language (EL) for Java. OGNL can create or change executable code, consequently it can introduce critical security flaws to any application that uses it. Evaluation of unvalidated expressions is a common flaw in OGNL. This exposes the properties of Java objects to modification by an attacker and may allow them to execute arbitrary code.\n\n\n## Recommendation\nThe general recommendation is to avoid evaluating untrusted ONGL expressions. If user-provided OGNL expressions must be evaluated, do this in a sandbox and validate the expressions before evaluation.\n\n\n## Example\nIn the following examples, the code accepts an OGNL expression from the user and evaluates it.\n\nIn the first example, the user-provided OGNL expression is parsed and evaluated.\n\nThe second example validates the expression and evaluates it inside a sandbox. You can add a sandbox by setting a system property, as shown in the example, or by adding `-Dognl.security.manager` to JVM arguments.\n\n\n```java\nimport ognl.Ognl;\nimport ognl.OgnlException;\n\npublic void evaluate(HttpServletRequest request, Object root) throws OgnlException {\n String expression = request.getParameter(\"expression\");\n\n // BAD: User provided expression is evaluated\n Ognl.getValue(expression, root);\n \n // GOOD: The name is validated and expression is evaluated in sandbox\n System.setProperty(\"ognl.security.manager\", \"\"); // Or add -Dognl.security.manager to JVM args\n if (isValid(expression)) {\n Ognl.getValue(expression, root);\n } else {\n // Reject the request\n }\n}\n\npublic void isValid(Strig expression) {\n // Custom method to validate the expression.\n // For instance, make sure it doesn't include unexpected code.\n}\n\n```\n\n## References\n* Apache Commons: [Apache Commons OGNL](https://commons.apache.org/proper/commons-ognl/).\n* Struts security: [Proactively protect from OGNL Expression Injections attacks](https://struts.apache.org/security/#proactively-protect-from-ognl-expression-injections-attacks-if-easily-applicable).\n* Common Weakness Enumeration: [CWE-917](https://cwe.mitre.org/data/definitions/917.html).\n" + }, + "properties": { + "tags": [ + "external/cwe/cwe-917", + "security" + ], + "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-917/OgnlInjection.ql", + "precision": "high", + "security-severity": "9.8" + } + }, + { + "id": "java/overly-large-range", + "name": "java/overly-large-range", + "shortDescription": { + "text": "Overly permissive regular expression range" + }, + "fullDescription": { + "text": "Overly permissive regular expression ranges match a wider range of characters than intended. This may allow an attacker to bypass a filter or sanitizer." + }, + "defaultConfiguration": {}, + "help": { + "text": "# Overly permissive regular expression range\nIt's easy to write a regular expression range that matches a wider range of characters than you intended. For example, `/[a-zA-z]/` matches all lowercase and all uppercase letters, as you would expect, but it also matches the characters: `` [ \\ ] ^ _ ` ``.\n\nAnother common problem is failing to escape the dash character in a regular expression. An unescaped dash is interpreted as part of a range. For example, in the character class `[a-zA-Z0-9%=.,-_]` the last character range matches the 55 characters between `,` and `_` (both included), which overlaps with the range `[0-9]` and is clearly not intended by the writer.\n\n\n## Recommendation\nAvoid any confusion about which characters are included in the range by writing unambiguous regular expressions. Always check that character ranges match only the expected characters.\n\n\n## Example\nThe following example code is intended to check whether a string is a valid 6 digit hex color.\n\n```java\n\nimport java.util.regex.Pattern\npublic class Tester {\n public static boolean is_valid_hex_color(String color) {\n return Pattern.matches(\"#[0-9a-fA-f]{6}\", color);\n }\n}\n\n```\nHowever, the `A-f` range is overly large and matches every uppercase character. It would parse a \"color\" like `#XXYYZZ` as valid.\n\nThe fix is to use an uppercase `A-F` range instead.\n\n```javascript\n\nimport java.util.regex.Pattern\npublic class Tester {\n public static boolean is_valid_hex_color(String color) {\n return Pattern.matches(\"#[0-9a-fA-F]{6}\", color);\n }\n}\n\n```\n\n## References\n* GitHub Advisory Database: [CVE-2021-42740: Improper Neutralization of Special Elements used in a Command in Shell-quote](https://github.com/advisories/GHSA-g4rg-993r-mgx7)\n* wh0.github.io: [Exploiting CVE-2021-42740](https://wh0.github.io/2021/10/28/shell-quote-rce-exploiting.html)\n* Yosuke Ota: [no-obscure-range](https://ota-meshi.github.io/eslint-plugin-regexp/rules/no-obscure-range.html)\n* Paul Boyd: [The regex \\[,-.\\]](https://pboyd.io/posts/comma-dash-dot/)\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n", + "markdown": "# Overly permissive regular expression range\nIt's easy to write a regular expression range that matches a wider range of characters than you intended. For example, `/[a-zA-z]/` matches all lowercase and all uppercase letters, as you would expect, but it also matches the characters: `` [ \\ ] ^ _ ` ``.\n\nAnother common problem is failing to escape the dash character in a regular expression. An unescaped dash is interpreted as part of a range. For example, in the character class `[a-zA-Z0-9%=.,-_]` the last character range matches the 55 characters between `,` and `_` (both included), which overlaps with the range `[0-9]` and is clearly not intended by the writer.\n\n\n## Recommendation\nAvoid any confusion about which characters are included in the range by writing unambiguous regular expressions. Always check that character ranges match only the expected characters.\n\n\n## Example\nThe following example code is intended to check whether a string is a valid 6 digit hex color.\n\n```java\n\nimport java.util.regex.Pattern\npublic class Tester {\n public static boolean is_valid_hex_color(String color) {\n return Pattern.matches(\"#[0-9a-fA-f]{6}\", color);\n }\n}\n\n```\nHowever, the `A-f` range is overly large and matches every uppercase character. It would parse a \"color\" like `#XXYYZZ` as valid.\n\nThe fix is to use an uppercase `A-F` range instead.\n\n```javascript\n\nimport java.util.regex.Pattern\npublic class Tester {\n public static boolean is_valid_hex_color(String color) {\n return Pattern.matches(\"#[0-9a-fA-F]{6}\", color);\n }\n}\n\n```\n\n## References\n* GitHub Advisory Database: [CVE-2021-42740: Improper Neutralization of Special Elements used in a Command in Shell-quote](https://github.com/advisories/GHSA-g4rg-993r-mgx7)\n* wh0.github.io: [Exploiting CVE-2021-42740](https://wh0.github.io/2021/10/28/shell-quote-rce-exploiting.html)\n* Yosuke Ota: [no-obscure-range](https://ota-meshi.github.io/eslint-plugin-regexp/rules/no-obscure-range.html)\n* Paul Boyd: [The regex \\[,-.\\]](https://pboyd.io/posts/comma-dash-dot/)\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n" + }, + "properties": { + "tags": [ + "correctness", + "external/cwe/cwe-020", + "security" + ], + "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-020/OverlyLargeRange.ql", + "precision": "high", + "security-severity": "5" + } + }, + { + "id": "java/partial-path-traversal-from-remote", + "name": "java/partial-path-traversal-from-remote", + "shortDescription": { + "text": "Partial path traversal vulnerability from remote" + }, + "fullDescription": { + "text": "A prefix used to check that a canonicalised path falls within another must be slash-terminated." + }, + "defaultConfiguration": { + "level": "error" + }, + "help": { + "text": "# Partial path traversal vulnerability from remote\nA common way to check that a user-supplied path `SUBDIR` falls inside a directory `DIR` is to use `getCanonicalPath()` to remove any path-traversal elements and then check that `DIR` is a prefix. However, if `DIR` is not slash-terminated, this can unexpectedly allow accessing siblings of `DIR`.\n\nSee also `java/partial-path-traversal`, which is similar to this query, but may also flag non-remotely-exploitable instances of partial path traversal vulnerabilities.\n\n\n## Recommendation\nIf the user should only access items within a certain directory `DIR`, ensure that `DIR` is slash-terminated before checking that `DIR` is a prefix of the user-provided path, `SUBDIR`. Note, Java's `getCanonicalPath()` returns a **non**-slash-terminated path string, so a slash must be added to `DIR` if that method is used.\n\n\n## Example\nIn this example, the `if` statement checks if `parent.getCanonicalPath()` is a prefix of `dir.getCanonicalPath()`. However, `parent.getCanonicalPath()` is not slash-terminated. This means that users that supply `dir` may be also allowed to access siblings of `parent` and not just children of `parent`, which is a security issue.\n\n\n```java\npublic class PartialPathTraversalBad {\n public void example(File dir, File parent) throws IOException {\n if (!dir.getCanonicalPath().startsWith(parent.getCanonicalPath())) {\n throw new IOException(\"Path traversal attempt: \" + dir.getCanonicalPath());\n }\n }\n}\n\n```\nIn this example, the `if` statement checks if `parent.toPath()` is a prefix of `dir.normalize()`. Because `Path#startsWith` does the correct check that `dir` is a child of `parent`, users will not be able to access siblings of `parent`, as desired.\n\n\n```java\nimport java.io.File;\n\npublic class PartialPathTraversalGood {\n public void example(File dir, File parent) throws IOException {\n if (!dir.toPath().normalize().startsWith(parent.toPath())) {\n throw new IOException(\"Path traversal attempt: \" + dir.getCanonicalPath());\n }\n }\n}\n\n```\n\n## References\n* OWASP: [Partial Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal).\n* CVE-2022-23457: [ ESAPI Vulnerability Report](https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/GHSL-2022-008_The_OWASP_Enterprise_Security_API.md).\n* Common Weakness Enumeration: [CWE-23](https://cwe.mitre.org/data/definitions/23.html).\n", + "markdown": "# Partial path traversal vulnerability from remote\nA common way to check that a user-supplied path `SUBDIR` falls inside a directory `DIR` is to use `getCanonicalPath()` to remove any path-traversal elements and then check that `DIR` is a prefix. However, if `DIR` is not slash-terminated, this can unexpectedly allow accessing siblings of `DIR`.\n\nSee also `java/partial-path-traversal`, which is similar to this query, but may also flag non-remotely-exploitable instances of partial path traversal vulnerabilities.\n\n\n## Recommendation\nIf the user should only access items within a certain directory `DIR`, ensure that `DIR` is slash-terminated before checking that `DIR` is a prefix of the user-provided path, `SUBDIR`. Note, Java's `getCanonicalPath()` returns a **non**-slash-terminated path string, so a slash must be added to `DIR` if that method is used.\n\n\n## Example\nIn this example, the `if` statement checks if `parent.getCanonicalPath()` is a prefix of `dir.getCanonicalPath()`. However, `parent.getCanonicalPath()` is not slash-terminated. This means that users that supply `dir` may be also allowed to access siblings of `parent` and not just children of `parent`, which is a security issue.\n\n\n```java\npublic class PartialPathTraversalBad {\n public void example(File dir, File parent) throws IOException {\n if (!dir.getCanonicalPath().startsWith(parent.getCanonicalPath())) {\n throw new IOException(\"Path traversal attempt: \" + dir.getCanonicalPath());\n }\n }\n}\n\n```\nIn this example, the `if` statement checks if `parent.toPath()` is a prefix of `dir.normalize()`. Because `Path#startsWith` does the correct check that `dir` is a child of `parent`, users will not be able to access siblings of `parent`, as desired.\n\n\n```java\nimport java.io.File;\n\npublic class PartialPathTraversalGood {\n public void example(File dir, File parent) throws IOException {\n if (!dir.toPath().normalize().startsWith(parent.toPath())) {\n throw new IOException(\"Path traversal attempt: \" + dir.getCanonicalPath());\n }\n }\n}\n\n```\n\n## References\n* OWASP: [Partial Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal).\n* CVE-2022-23457: [ ESAPI Vulnerability Report](https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/GHSL-2022-008_The_OWASP_Enterprise_Security_API.md).\n* Common Weakness Enumeration: [CWE-23](https://cwe.mitre.org/data/definitions/23.html).\n" + }, + "properties": { + "tags": [ + "external/cwe/cwe-023", + "security" + ], + "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-023/PartialPathTraversalFromRemote.ql", + "precision": "high", + "security-severity": "9.3" + } + }, + { + "id": "java/path-injection", + "name": "java/path-injection", + "shortDescription": { + "text": "Uncontrolled data used in path expression" + }, + "fullDescription": { + "text": "Accessing paths influenced by users can allow an attacker to access unexpected resources." + }, + "defaultConfiguration": { + "level": "error" + }, + "help": { + "text": "# Uncontrolled data used in path expression\nAccessing paths controlled by users can allow an attacker to access unexpected resources. This can result in sensitive information being revealed or deleted, or an attacker being able to influence behavior by modifying unexpected files.\n\nPaths that are naively constructed from data controlled by a user may be absolute paths, or may contain unexpected special characters such as \"..\". Such a path could point anywhere on the file system.\n\n\n## Recommendation\nValidate user input before using it to construct a file path.\n\nCommon validation methods include checking that the normalized path is relative and does not contain any \"..\" components, or checking that the path is contained within a safe folder. The method you should use depends on how the path is used in the application, and whether the path should be a single path component.\n\nIf the path should be a single path component (such as a file name), you can check for the existence of any path separators (\"/\" or \"\\\\\"), or \"..\" sequences in the input, and reject the input if any are found.\n\nNote that removing \"../\" sequences is *not* sufficient, since the input could still contain a path separator followed by \"..\". For example, the input \".../...//\" would still result in the string \"../\" if only \"../\" sequences are removed.\n\nFinally, the simplest (but most restrictive) option is to use an allow list of safe patterns and make sure that the user input matches one of these patterns.\n\n\n## Example\nIn this example, a file name is read from a `java.net.Socket` and then used to access a file and send it back over the socket. However, a malicious user could enter a file name anywhere on the file system, such as \"/etc/passwd\" or \"../../../etc/passwd\".\n\n\n```java\npublic void sendUserFile(Socket sock, String user) {\n\tBufferedReader filenameReader = new BufferedReader(\n\t\t\tnew InputStreamReader(sock.getInputStream(), \"UTF-8\"));\n\tString filename = filenameReader.readLine();\n\t// BAD: read from a file without checking its path\n\tBufferedReader fileReader = new BufferedReader(new FileReader(filename));\n\tString fileLine = fileReader.readLine();\n\twhile(fileLine != null) {\n\t\tsock.getOutputStream().write(fileLine.getBytes());\n\t\tfileLine = fileReader.readLine();\n\t}\n}\n\n```\nIf the input should only be a file name, you can check that it doesn't contain any path separators or \"..\" sequences.\n\n\n```java\npublic void sendUserFileGood(Socket sock, String user) {\n\tBufferedReader filenameReader = new BufferedReader(\n\t\t\tnew InputStreamReader(sock.getInputStream(), \"UTF-8\"));\n\tString filename = filenameReader.readLine();\n\t// GOOD: ensure that the filename has no path separators or parent directory references\n\tif (filename.contains(\"..\") || filename.contains(\"/\") || filename.contains(\"\\\\\")) {\n\t\tthrow new IllegalArgumentException(\"Invalid filename\");\n\t}\n\tBufferedReader fileReader = new BufferedReader(new FileReader(filename));\n\tString fileLine = fileReader.readLine();\n\twhile(fileLine != null) {\n\t\tsock.getOutputStream().write(fileLine.getBytes());\n\t\tfileLine = fileReader.readLine();\n\t}\t\n}\n\n```\nIf the input should be within a specific directory, you can check that the resolved path is still contained within that directory.\n\n\n```java\npublic void sendUserFileGood(Socket sock, String user) {\n\tBufferedReader filenameReader = new BufferedReader(\n\t\t\tnew InputStreamReader(sock.getInputStream(), \"UTF-8\"));\n\tString filename = filenameReader.readLine();\n\n\tPath publicFolder = Paths.get(\"/home/\" + user + \"/public\").normalize().toAbsolutePath();\n\tPath filePath = publicFolder.resolve(filename).normalize().toAbsolutePath();\n\n\t// GOOD: ensure that the path stays within the public folder\n\tif (!filePath.startsWith(publicFolder + File.separator)) {\n\t\tthrow new IllegalArgumentException(\"Invalid filename\");\n\t}\n\tBufferedReader fileReader = new BufferedReader(new FileReader(filePath.toString()));\n\tString fileLine = fileReader.readLine();\n\twhile(fileLine != null) {\n\t\tsock.getOutputStream().write(fileLine.getBytes());\n\t\tfileLine = fileReader.readLine();\n\t}\n}\n```\n\n## References\n* OWASP: [Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal).\n* Common Weakness Enumeration: [CWE-22](https://cwe.mitre.org/data/definitions/22.html).\n* Common Weakness Enumeration: [CWE-23](https://cwe.mitre.org/data/definitions/23.html).\n* Common Weakness Enumeration: [CWE-36](https://cwe.mitre.org/data/definitions/36.html).\n* Common Weakness Enumeration: [CWE-73](https://cwe.mitre.org/data/definitions/73.html).\n", + "markdown": "# Uncontrolled data used in path expression\nAccessing paths controlled by users can allow an attacker to access unexpected resources. This can result in sensitive information being revealed or deleted, or an attacker being able to influence behavior by modifying unexpected files.\n\nPaths that are naively constructed from data controlled by a user may be absolute paths, or may contain unexpected special characters such as \"..\". Such a path could point anywhere on the file system.\n\n\n## Recommendation\nValidate user input before using it to construct a file path.\n\nCommon validation methods include checking that the normalized path is relative and does not contain any \"..\" components, or checking that the path is contained within a safe folder. The method you should use depends on how the path is used in the application, and whether the path should be a single path component.\n\nIf the path should be a single path component (such as a file name), you can check for the existence of any path separators (\"/\" or \"\\\\\"), or \"..\" sequences in the input, and reject the input if any are found.\n\nNote that removing \"../\" sequences is *not* sufficient, since the input could still contain a path separator followed by \"..\". For example, the input \".../...//\" would still result in the string \"../\" if only \"../\" sequences are removed.\n\nFinally, the simplest (but most restrictive) option is to use an allow list of safe patterns and make sure that the user input matches one of these patterns.\n\n\n## Example\nIn this example, a file name is read from a `java.net.Socket` and then used to access a file and send it back over the socket. However, a malicious user could enter a file name anywhere on the file system, such as \"/etc/passwd\" or \"../../../etc/passwd\".\n\n\n```java\npublic void sendUserFile(Socket sock, String user) {\n\tBufferedReader filenameReader = new BufferedReader(\n\t\t\tnew InputStreamReader(sock.getInputStream(), \"UTF-8\"));\n\tString filename = filenameReader.readLine();\n\t// BAD: read from a file without checking its path\n\tBufferedReader fileReader = new BufferedReader(new FileReader(filename));\n\tString fileLine = fileReader.readLine();\n\twhile(fileLine != null) {\n\t\tsock.getOutputStream().write(fileLine.getBytes());\n\t\tfileLine = fileReader.readLine();\n\t}\n}\n\n```\nIf the input should only be a file name, you can check that it doesn't contain any path separators or \"..\" sequences.\n\n\n```java\npublic void sendUserFileGood(Socket sock, String user) {\n\tBufferedReader filenameReader = new BufferedReader(\n\t\t\tnew InputStreamReader(sock.getInputStream(), \"UTF-8\"));\n\tString filename = filenameReader.readLine();\n\t// GOOD: ensure that the filename has no path separators or parent directory references\n\tif (filename.contains(\"..\") || filename.contains(\"/\") || filename.contains(\"\\\\\")) {\n\t\tthrow new IllegalArgumentException(\"Invalid filename\");\n\t}\n\tBufferedReader fileReader = new BufferedReader(new FileReader(filename));\n\tString fileLine = fileReader.readLine();\n\twhile(fileLine != null) {\n\t\tsock.getOutputStream().write(fileLine.getBytes());\n\t\tfileLine = fileReader.readLine();\n\t}\t\n}\n\n```\nIf the input should be within a specific directory, you can check that the resolved path is still contained within that directory.\n\n\n```java\npublic void sendUserFileGood(Socket sock, String user) {\n\tBufferedReader filenameReader = new BufferedReader(\n\t\t\tnew InputStreamReader(sock.getInputStream(), \"UTF-8\"));\n\tString filename = filenameReader.readLine();\n\n\tPath publicFolder = Paths.get(\"/home/\" + user + \"/public\").normalize().toAbsolutePath();\n\tPath filePath = publicFolder.resolve(filename).normalize().toAbsolutePath();\n\n\t// GOOD: ensure that the path stays within the public folder\n\tif (!filePath.startsWith(publicFolder + File.separator)) {\n\t\tthrow new IllegalArgumentException(\"Invalid filename\");\n\t}\n\tBufferedReader fileReader = new BufferedReader(new FileReader(filePath.toString()));\n\tString fileLine = fileReader.readLine();\n\twhile(fileLine != null) {\n\t\tsock.getOutputStream().write(fileLine.getBytes());\n\t\tfileLine = fileReader.readLine();\n\t}\n}\n```\n\n## References\n* OWASP: [Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal).\n* Common Weakness Enumeration: [CWE-22](https://cwe.mitre.org/data/definitions/22.html).\n* Common Weakness Enumeration: [CWE-23](https://cwe.mitre.org/data/definitions/23.html).\n* Common Weakness Enumeration: [CWE-36](https://cwe.mitre.org/data/definitions/36.html).\n* Common Weakness Enumeration: [CWE-73](https://cwe.mitre.org/data/definitions/73.html).\n" + }, + "properties": { + "tags": [ + "external/cwe/cwe-022", + "external/cwe/cwe-023", + "external/cwe/cwe-036", + "external/cwe/cwe-073", + "security" + ], + "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-022/TaintedPath.ql", + "precision": "high", + "security-severity": "7.5" + } + }, + { + "id": "java/polynomial-redos", + "name": "java/polynomial-redos", + "shortDescription": { + "text": "Polynomial regular expression used on uncontrolled data" + }, + "fullDescription": { + "text": "A regular expression that can require polynomial time to match may be vulnerable to denial-of-service attacks." + }, + "defaultConfiguration": {}, + "help": { + "text": "# Polynomial regular expression used on uncontrolled data\nSome regular expressions take a long time to match certain input strings to the point where the time it takes to match a string of length *n* is proportional to *nk* or even *2n*. Such regular expressions can negatively affect performance, or even allow a malicious user to perform a Denial of Service (\"DoS\") attack by crafting an expensive input string for the regular expression to match.\n\nThe regular expression engine provided by Java uses a backtracking non-deterministic finite automata to implement regular expression matching. While this approach is space-efficient and allows supporting advanced features like capture groups, it is not time-efficient in general. The worst-case time complexity of such an automaton can be polynomial or even exponential, meaning that for strings of a certain shape, increasing the input length by ten characters may make the automaton about 1000 times slower.\n\nTypically, a regular expression is affected by this problem if it contains a repetition of the form `r*` or `r+` where the sub-expression `r` is ambiguous in the sense that it can match some string in multiple ways. More information about the precise circumstances can be found in the references.\n\nNote that Java versions 9 and above have some mitigations against ReDoS; however they aren't perfect and more complex regular expressions can still be affected by this problem.\n\n\n## Recommendation\nModify the regular expression to remove the ambiguity, or ensure that the strings matched with the regular expression are short enough that the time-complexity does not matter. Alternatively, an alternate regex library that guarantees linear time execution, such as Google's RE2J, may be used.\n\n\n## Example\nConsider this use of a regular expression, which removes all leading and trailing whitespace in a string:\n\n```java\n\nPattern.compile(\"^\\\\s+|\\\\s+$\").matcher(text).replaceAll(\"\") // BAD\n```\nThe sub-expression `\"\\\\s+$\"` will match the whitespace characters in `text` from left to right, but it can start matching anywhere within a whitespace sequence. This is problematic for strings that do **not** end with a whitespace character. Such a string will force the regular expression engine to process each whitespace sequence once per whitespace character in the sequence.\n\nThis ultimately means that the time cost of trimming a string is quadratic in the length of the string. So a string like `\"a b\"` will take milliseconds to process, but a similar string with a million spaces instead of just one will take several minutes.\n\nAvoid this problem by rewriting the regular expression to not contain the ambiguity about when to start matching whitespace sequences. For instance, by using a negative look-behind (`\"^\\\\s+|(? 1000) {\n throw new IllegalArgumentException(\"Input too long\");\n}\n\nPattern.matches(\"^(\\\\+|-)?(\\\\d+|(\\\\d*\\\\.\\\\d*))?(E|e)?([-+])?(\\\\d+)?$\", str); \n```\n\n## References\n* OWASP: [Regular expression Denial of Service - ReDoS](https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS).\n* Wikipedia: [ReDoS](https://en.wikipedia.org/wiki/ReDoS).\n* Wikipedia: [Time complexity](https://en.wikipedia.org/wiki/Time_complexity).\n* James Kirrage, Asiri Rathnayake, Hayo Thielecke: [Static Analysis for Regular Expression Denial-of-Service Attack](https://arxiv.org/abs/1301.0849).\n* Common Weakness Enumeration: [CWE-1333](https://cwe.mitre.org/data/definitions/1333.html).\n* Common Weakness Enumeration: [CWE-730](https://cwe.mitre.org/data/definitions/730.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n", + "markdown": "# Polynomial regular expression used on uncontrolled data\nSome regular expressions take a long time to match certain input strings to the point where the time it takes to match a string of length *n* is proportional to *nk* or even *2n*. Such regular expressions can negatively affect performance, or even allow a malicious user to perform a Denial of Service (\"DoS\") attack by crafting an expensive input string for the regular expression to match.\n\nThe regular expression engine provided by Java uses a backtracking non-deterministic finite automata to implement regular expression matching. While this approach is space-efficient and allows supporting advanced features like capture groups, it is not time-efficient in general. The worst-case time complexity of such an automaton can be polynomial or even exponential, meaning that for strings of a certain shape, increasing the input length by ten characters may make the automaton about 1000 times slower.\n\nTypically, a regular expression is affected by this problem if it contains a repetition of the form `r*` or `r+` where the sub-expression `r` is ambiguous in the sense that it can match some string in multiple ways. More information about the precise circumstances can be found in the references.\n\nNote that Java versions 9 and above have some mitigations against ReDoS; however they aren't perfect and more complex regular expressions can still be affected by this problem.\n\n\n## Recommendation\nModify the regular expression to remove the ambiguity, or ensure that the strings matched with the regular expression are short enough that the time-complexity does not matter. Alternatively, an alternate regex library that guarantees linear time execution, such as Google's RE2J, may be used.\n\n\n## Example\nConsider this use of a regular expression, which removes all leading and trailing whitespace in a string:\n\n```java\n\nPattern.compile(\"^\\\\s+|\\\\s+$\").matcher(text).replaceAll(\"\") // BAD\n```\nThe sub-expression `\"\\\\s+$\"` will match the whitespace characters in `text` from left to right, but it can start matching anywhere within a whitespace sequence. This is problematic for strings that do **not** end with a whitespace character. Such a string will force the regular expression engine to process each whitespace sequence once per whitespace character in the sequence.\n\nThis ultimately means that the time cost of trimming a string is quadratic in the length of the string. So a string like `\"a b\"` will take milliseconds to process, but a similar string with a million spaces instead of just one will take several minutes.\n\nAvoid this problem by rewriting the regular expression to not contain the ambiguity about when to start matching whitespace sequences. For instance, by using a negative look-behind (`\"^\\\\s+|(? 1000) {\n throw new IllegalArgumentException(\"Input too long\");\n}\n\nPattern.matches(\"^(\\\\+|-)?(\\\\d+|(\\\\d*\\\\.\\\\d*))?(E|e)?([-+])?(\\\\d+)?$\", str); \n```\n\n## References\n* OWASP: [Regular expression Denial of Service - ReDoS](https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS).\n* Wikipedia: [ReDoS](https://en.wikipedia.org/wiki/ReDoS).\n* Wikipedia: [Time complexity](https://en.wikipedia.org/wiki/Time_complexity).\n* James Kirrage, Asiri Rathnayake, Hayo Thielecke: [Static Analysis for Regular Expression Denial-of-Service Attack](https://arxiv.org/abs/1301.0849).\n* Common Weakness Enumeration: [CWE-1333](https://cwe.mitre.org/data/definitions/1333.html).\n* Common Weakness Enumeration: [CWE-730](https://cwe.mitre.org/data/definitions/730.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n" + }, + "properties": { + "tags": [ + "external/cwe/cwe-1333", + "external/cwe/cwe-400", + "external/cwe/cwe-730", + "security" + ], + "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-730/PolynomialReDoS.ql", + "precision": "high", + "security-severity": "7.5" + } + }, + { + "id": "java/predictable-seed", + "name": "java/predictable-seed", + "shortDescription": { + "text": "Use of a predictable seed in a secure random number generator" + }, + "fullDescription": { + "text": "Using a predictable seed in a pseudo-random number generator can lead to predictability of the numbers generated by it." + }, + "defaultConfiguration": { + "level": "error" + }, + "help": { + "text": "# Use of a predictable seed in a secure random number generator\nUsing a predictable seed in a pseudo-random number generator can lead to predictability of the numbers generated by it.\n\n\n## Recommendation\nIf the predictability of the pseudo-random number generator does not matter then consider using the faster `Random` class from `java.util`. If it is important that the pseudo-random number generator produces completely unpredictable values then either let the generator securely seed itself by not specifying a seed or specify a randomly generated, unpredictable seed.\n\n\n## Example\nIn the first example shown here, a constant value is used as a seed. Depending on the implementation of ` SecureRandom`, this could lead to the same random number being generated each time the code is executed.\n\nIn the second example shown here, the system time is used as a seed. Depending on the implementation of ` SecureRandom`, if an attacker knows what time the code was run, they could predict the generated random number.\n\nIn the third example shown here, the random number generator is allowed to generate its own seed, which it will do in a secure way.\n\n\n```java\nSecureRandom prng = new SecureRandom();\nint randomData = 0;\n\n// BAD: Using a constant value as a seed for a random number generator means all numbers it generates are predictable.\nprng.setSeed(12345L);\nrandomData = prng.next(32);\n\n// BAD: System.currentTimeMillis() returns the system time which is predictable.\nprng.setSeed(System.currentTimeMillis());\nrandomData = prng.next(32);\n\n// GOOD: SecureRandom implementations seed themselves securely by default.\nprng = new SecureRandom();\nrandomData = prng.next(32);\n\n```\n\n## References\n* Common Weakness Enumeration: [CWE-335](https://cwe.mitre.org/data/definitions/335.html).\n* Common Weakness Enumeration: [CWE-337](https://cwe.mitre.org/data/definitions/337.html).\n", + "markdown": "# Use of a predictable seed in a secure random number generator\nUsing a predictable seed in a pseudo-random number generator can lead to predictability of the numbers generated by it.\n\n\n## Recommendation\nIf the predictability of the pseudo-random number generator does not matter then consider using the faster `Random` class from `java.util`. If it is important that the pseudo-random number generator produces completely unpredictable values then either let the generator securely seed itself by not specifying a seed or specify a randomly generated, unpredictable seed.\n\n\n## Example\nIn the first example shown here, a constant value is used as a seed. Depending on the implementation of ` SecureRandom`, this could lead to the same random number being generated each time the code is executed.\n\nIn the second example shown here, the system time is used as a seed. Depending on the implementation of ` SecureRandom`, if an attacker knows what time the code was run, they could predict the generated random number.\n\nIn the third example shown here, the random number generator is allowed to generate its own seed, which it will do in a secure way.\n\n\n```java\nSecureRandom prng = new SecureRandom();\nint randomData = 0;\n\n// BAD: Using a constant value as a seed for a random number generator means all numbers it generates are predictable.\nprng.setSeed(12345L);\nrandomData = prng.next(32);\n\n// BAD: System.currentTimeMillis() returns the system time which is predictable.\nprng.setSeed(System.currentTimeMillis());\nrandomData = prng.next(32);\n\n// GOOD: SecureRandom implementations seed themselves securely by default.\nprng = new SecureRandom();\nrandomData = prng.next(32);\n\n```\n\n## References\n* Common Weakness Enumeration: [CWE-335](https://cwe.mitre.org/data/definitions/335.html).\n* Common Weakness Enumeration: [CWE-337](https://cwe.mitre.org/data/definitions/337.html).\n" + }, + "properties": { + "tags": [ + "external/cwe/cwe-335", + "external/cwe/cwe-337", + "security" + ], + "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-335/PredictableSeed.ql", + "precision": "high", + "security-severity": "9.8" + } + }, + { + "id": "java/redos", + "name": "java/redos", + "shortDescription": { + "text": "Inefficient regular expression" + }, + "fullDescription": { + "text": "A regular expression that requires exponential time to match certain inputs can be a performance bottleneck, and may be vulnerable to denial-of-service attacks." + }, + "defaultConfiguration": { + "level": "error" + }, + "help": { + "text": "# Inefficient regular expression\nSome regular expressions take a long time to match certain input strings to the point where the time it takes to match a string of length *n* is proportional to *nk* or even *2n*. Such regular expressions can negatively affect performance, or even allow a malicious user to perform a Denial of Service (\"DoS\") attack by crafting an expensive input string for the regular expression to match.\n\nThe regular expression engine provided by Java uses a backtracking non-deterministic finite automata to implement regular expression matching. While this approach is space-efficient and allows supporting advanced features like capture groups, it is not time-efficient in general. The worst-case time complexity of such an automaton can be polynomial or even exponential, meaning that for strings of a certain shape, increasing the input length by ten characters may make the automaton about 1000 times slower.\n\nTypically, a regular expression is affected by this problem if it contains a repetition of the form `r*` or `r+` where the sub-expression `r` is ambiguous in the sense that it can match some string in multiple ways. More information about the precise circumstances can be found in the references.\n\nNote that Java versions 9 and above have some mitigations against ReDoS; however they aren't perfect and more complex regular expressions can still be affected by this problem.\n\n\n## Recommendation\nModify the regular expression to remove the ambiguity, or ensure that the strings matched with the regular expression are short enough that the time-complexity does not matter. Alternatively, an alternate regex library that guarantees linear time execution, such as Google's RE2J, may be used.\n\n\n## Example\nConsider this regular expression:\n\n```java\n\n^_(__|.)+_$\n```\nIts sub-expression `\"(__|.)+?\"` can match the string `\"__\"` either by the first alternative `\"__\"` to the left of the `\"|\"` operator, or by two repetitions of the second alternative `\".\"` to the right. Thus, a string consisting of an odd number of underscores followed by some other character will cause the regular expression engine to run for an exponential amount of time before rejecting the input.\n\nThis problem can be avoided by rewriting the regular expression to remove the ambiguity between the two branches of the alternative inside the repetition:\n\n```java\n\n^_(__|[^_])+_$\n```\n\n## References\n* OWASP: [Regular expression Denial of Service - ReDoS](https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS).\n* Wikipedia: [ReDoS](https://en.wikipedia.org/wiki/ReDoS).\n* Wikipedia: [Time complexity](https://en.wikipedia.org/wiki/Time_complexity).\n* James Kirrage, Asiri Rathnayake, Hayo Thielecke: [Static Analysis for Regular Expression Denial-of-Service Attack](https://arxiv.org/abs/1301.0849).\n* Common Weakness Enumeration: [CWE-1333](https://cwe.mitre.org/data/definitions/1333.html).\n* Common Weakness Enumeration: [CWE-730](https://cwe.mitre.org/data/definitions/730.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n", + "markdown": "# Inefficient regular expression\nSome regular expressions take a long time to match certain input strings to the point where the time it takes to match a string of length *n* is proportional to *nk* or even *2n*. Such regular expressions can negatively affect performance, or even allow a malicious user to perform a Denial of Service (\"DoS\") attack by crafting an expensive input string for the regular expression to match.\n\nThe regular expression engine provided by Java uses a backtracking non-deterministic finite automata to implement regular expression matching. While this approach is space-efficient and allows supporting advanced features like capture groups, it is not time-efficient in general. The worst-case time complexity of such an automaton can be polynomial or even exponential, meaning that for strings of a certain shape, increasing the input length by ten characters may make the automaton about 1000 times slower.\n\nTypically, a regular expression is affected by this problem if it contains a repetition of the form `r*` or `r+` where the sub-expression `r` is ambiguous in the sense that it can match some string in multiple ways. More information about the precise circumstances can be found in the references.\n\nNote that Java versions 9 and above have some mitigations against ReDoS; however they aren't perfect and more complex regular expressions can still be affected by this problem.\n\n\n## Recommendation\nModify the regular expression to remove the ambiguity, or ensure that the strings matched with the regular expression are short enough that the time-complexity does not matter. Alternatively, an alternate regex library that guarantees linear time execution, such as Google's RE2J, may be used.\n\n\n## Example\nConsider this regular expression:\n\n```java\n\n^_(__|.)+_$\n```\nIts sub-expression `\"(__|.)+?\"` can match the string `\"__\"` either by the first alternative `\"__\"` to the left of the `\"|\"` operator, or by two repetitions of the second alternative `\".\"` to the right. Thus, a string consisting of an odd number of underscores followed by some other character will cause the regular expression engine to run for an exponential amount of time before rejecting the input.\n\nThis problem can be avoided by rewriting the regular expression to remove the ambiguity between the two branches of the alternative inside the repetition:\n\n```java\n\n^_(__|[^_])+_$\n```\n\n## References\n* OWASP: [Regular expression Denial of Service - ReDoS](https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS).\n* Wikipedia: [ReDoS](https://en.wikipedia.org/wiki/ReDoS).\n* Wikipedia: [Time complexity](https://en.wikipedia.org/wiki/Time_complexity).\n* James Kirrage, Asiri Rathnayake, Hayo Thielecke: [Static Analysis for Regular Expression Denial-of-Service Attack](https://arxiv.org/abs/1301.0849).\n* Common Weakness Enumeration: [CWE-1333](https://cwe.mitre.org/data/definitions/1333.html).\n* Common Weakness Enumeration: [CWE-730](https://cwe.mitre.org/data/definitions/730.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n" + }, + "properties": { + "tags": [ + "external/cwe/cwe-1333", + "external/cwe/cwe-400", + "external/cwe/cwe-730", + "security" + ], + "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-730/ReDoS.ql", + "precision": "high", + "security-severity": "7.5" + } + }, + { + "id": "java/regex-injection", + "name": "java/regex-injection", + "shortDescription": { + "text": "Regular expression injection" + }, + "fullDescription": { + "text": "User input should not be used in regular expressions without first being escaped, otherwise a malicious user may be able to provide a regex that could require exponential time on certain inputs." + }, + "defaultConfiguration": { + "level": "error" + }, + "help": { + "text": "# Regular expression injection\nConstructing a regular expression with unsanitized user input is dangerous as a malicious user may be able to modify the meaning of the expression. In particular, such a user may be able to provide a regular expression fragment that takes exponential time in the worst case, and use that to perform a Denial of Service attack.\n\n\n## Recommendation\nBefore embedding user input into a regular expression, use a sanitization function such as `Pattern.quote` to escape meta-characters that have special meaning.\n\n\n## Example\nThe following example shows an HTTP request parameter that is used to construct a regular expression.\n\nIn the first case the user-provided regex is not escaped. If a malicious user provides a regex whose worst-case performance is exponential, then this could lead to a Denial of Service.\n\nIn the second case, the user input is escaped using `Pattern.quote` before being included in the regular expression. This ensures that the user cannot insert characters which have a special meaning in regular expressions.\n\n\n```java\nimport java.util.regex.Pattern;\nimport javax.servlet.http.HttpServlet;\nimport javax.servlet.http.HttpServletRequest;\n\npublic class RegexInjectionDemo extends HttpServlet {\n\n public boolean badExample(javax.servlet.http.HttpServletRequest request) {\n String regex = request.getParameter(\"regex\");\n String input = request.getParameter(\"input\");\n\n // BAD: Unsanitized user input is used to construct a regular expression\n return input.matches(regex);\n }\n\n public boolean goodExample(javax.servlet.http.HttpServletRequest request) {\n String regex = request.getParameter(\"regex\");\n String input = request.getParameter(\"input\");\n\n // GOOD: User input is sanitized before constructing the regex\n return input.matches(Pattern.quote(regex));\n }\n}\n\n```\n\n## References\n* OWASP: [Regular expression Denial of Service - ReDoS](https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS).\n* Wikipedia: [ReDoS](https://en.wikipedia.org/wiki/ReDoS).\n* Java API Specification: [Pattern.quote](https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/util/regex/Pattern.html#quote(java.lang.String)).\n* Common Weakness Enumeration: [CWE-730](https://cwe.mitre.org/data/definitions/730.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n", + "markdown": "# Regular expression injection\nConstructing a regular expression with unsanitized user input is dangerous as a malicious user may be able to modify the meaning of the expression. In particular, such a user may be able to provide a regular expression fragment that takes exponential time in the worst case, and use that to perform a Denial of Service attack.\n\n\n## Recommendation\nBefore embedding user input into a regular expression, use a sanitization function such as `Pattern.quote` to escape meta-characters that have special meaning.\n\n\n## Example\nThe following example shows an HTTP request parameter that is used to construct a regular expression.\n\nIn the first case the user-provided regex is not escaped. If a malicious user provides a regex whose worst-case performance is exponential, then this could lead to a Denial of Service.\n\nIn the second case, the user input is escaped using `Pattern.quote` before being included in the regular expression. This ensures that the user cannot insert characters which have a special meaning in regular expressions.\n\n\n```java\nimport java.util.regex.Pattern;\nimport javax.servlet.http.HttpServlet;\nimport javax.servlet.http.HttpServletRequest;\n\npublic class RegexInjectionDemo extends HttpServlet {\n\n public boolean badExample(javax.servlet.http.HttpServletRequest request) {\n String regex = request.getParameter(\"regex\");\n String input = request.getParameter(\"input\");\n\n // BAD: Unsanitized user input is used to construct a regular expression\n return input.matches(regex);\n }\n\n public boolean goodExample(javax.servlet.http.HttpServletRequest request) {\n String regex = request.getParameter(\"regex\");\n String input = request.getParameter(\"input\");\n\n // GOOD: User input is sanitized before constructing the regex\n return input.matches(Pattern.quote(regex));\n }\n}\n\n```\n\n## References\n* OWASP: [Regular expression Denial of Service - ReDoS](https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS).\n* Wikipedia: [ReDoS](https://en.wikipedia.org/wiki/ReDoS).\n* Java API Specification: [Pattern.quote](https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/util/regex/Pattern.html#quote(java.lang.String)).\n* Common Weakness Enumeration: [CWE-730](https://cwe.mitre.org/data/definitions/730.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n" + }, + "properties": { + "tags": [ + "external/cwe/cwe-400", + "external/cwe/cwe-730", + "security" + ], + "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-730/RegexInjection.ql", + "precision": "high", + "security-severity": "7.5" + } + }, + { + "id": "java/rsa-without-oaep", + "name": "java/rsa-without-oaep", + "shortDescription": { + "text": "Use of RSA algorithm without OAEP" + }, + "fullDescription": { + "text": "Using RSA encryption without OAEP padding can result in a padding oracle attack, leading to a weaker encryption." + }, + "defaultConfiguration": {}, + "help": { + "text": "# Use of RSA algorithm without OAEP\nCryptographic algorithms often use padding schemes to make the plaintext less predictable. The OAEP (Optimal Asymmetric Encryption Padding) scheme should be used with RSA encryption. Using an outdated padding scheme such as PKCS1, or no padding at all, can weaken the encryption by making it vulnerable to a padding oracle attack.\n\n\n## Recommendation\nUse the OAEP scheme when using RSA encryption.\n\n\n## Example\nIn the following example, the BAD case shows no padding being used, whereas the GOOD case shows an OAEP scheme being used.\n\n\n```java\n// BAD: No padding scheme is used\nCipher rsa = Cipher.getInstance(\"RSA/ECB/NoPadding\");\n...\n\n//GOOD: OAEP padding is used\nCipher rsa = Cipher.getInstance(\"RSA/ECB/OAEPWithSHA-1AndMGF1Padding\");\n...\n```\n\n## References\n* [Mobile Security Testing Guide](https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#padding-oracle-attacks-due-to-weaker-padding-or-block-operation-implementations).\n* [The Padding Oracle Attack](https://robertheaton.com/2013/07/29/padding-oracle-attack/).\n* Common Weakness Enumeration: [CWE-780](https://cwe.mitre.org/data/definitions/780.html).\n", + "markdown": "# Use of RSA algorithm without OAEP\nCryptographic algorithms often use padding schemes to make the plaintext less predictable. The OAEP (Optimal Asymmetric Encryption Padding) scheme should be used with RSA encryption. Using an outdated padding scheme such as PKCS1, or no padding at all, can weaken the encryption by making it vulnerable to a padding oracle attack.\n\n\n## Recommendation\nUse the OAEP scheme when using RSA encryption.\n\n\n## Example\nIn the following example, the BAD case shows no padding being used, whereas the GOOD case shows an OAEP scheme being used.\n\n\n```java\n// BAD: No padding scheme is used\nCipher rsa = Cipher.getInstance(\"RSA/ECB/NoPadding\");\n...\n\n//GOOD: OAEP padding is used\nCipher rsa = Cipher.getInstance(\"RSA/ECB/OAEPWithSHA-1AndMGF1Padding\");\n...\n```\n\n## References\n* [Mobile Security Testing Guide](https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#padding-oracle-attacks-due-to-weaker-padding-or-block-operation-implementations).\n* [The Padding Oracle Attack](https://robertheaton.com/2013/07/29/padding-oracle-attack/).\n* Common Weakness Enumeration: [CWE-780](https://cwe.mitre.org/data/definitions/780.html).\n" + }, + "properties": { + "tags": [ + "external/cwe/cwe-780", + "security" + ], + "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-780/RsaWithoutOaep.ql", + "precision": "high", + "security-severity": "7.5" + } + }, + { + "id": "java/server-side-template-injection", + "name": "java/server-side-template-injection", + "shortDescription": { + "text": "Server-side template injection" + }, + "fullDescription": { + "text": "Untrusted input interpreted as a template can lead to remote code execution." + }, + "defaultConfiguration": { + "level": "error" + }, + "help": { + "text": "# Server-side template injection\nTemplate injection occurs when user input is embedded in a template's code in an unsafe manner. An attacker can use native template syntax to inject a malicious payload into a template, which is then executed server-side. This permits the attacker to run arbitrary code in the server's context.\n\n\n## Recommendation\nTo fix this, ensure that untrusted input is not used as part of a template's code. If the application requirements do not allow this, use a sandboxed environment where access to unsafe attributes and methods is prohibited.\n\n\n## Example\nIn the example given below, an untrusted HTTP parameter `code` is used as a Velocity template string. This can lead to remote code execution.\n\n\n```java\n@Controller\npublic class VelocitySSTI {\n\n\t@GetMapping(value = \"bad\")\n\tpublic void bad(HttpServletRequest request) {\n\t\tVelocity.init();\n\n\t\tString code = request.getParameter(\"code\");\n\n\t\tVelocityContext context = new VelocityContext();\n\n\t\tcontext.put(\"name\", \"Velocity\");\n\t\tcontext.put(\"project\", \"Jakarta\");\n\n\t\tStringWriter w = new StringWriter();\n\t\t// evaluate( Context context, Writer out, String logTag, String instring )\n\t\tVelocity.evaluate(context, w, \"mystring\", code);\n\t}\n}\n\n```\nIn the next example, the problem is avoided by using a fixed template string `s`. Since the template's code is not attacker-controlled in this case, this solution prevents the execution of untrusted code.\n\n\n```java\n@Controller\npublic class VelocitySSTI {\n\n\t@GetMapping(value = \"good\")\n\tpublic void good(HttpServletRequest request) {\n\t\tVelocity.init();\n\t\tVelocityContext context = new VelocityContext();\n\n\t\tcontext.put(\"name\", \"Velocity\");\n\t\tcontext.put(\"project\", \"Jakarta\");\n\n\t\tString s = \"We are using $project $name to render this.\";\n\t\tStringWriter w = new StringWriter();\n\t\tVelocity.evaluate(context, w, \"mystring\", s);\n\t\tSystem.out.println(\" string : \" + w);\n\t}\n}\n\n```\n\n## References\n* Portswigger: [Server Side Template Injection](https://portswigger.net/web-security/server-side-template-injection).\n* Common Weakness Enumeration: [CWE-1336](https://cwe.mitre.org/data/definitions/1336.html).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n", + "markdown": "# Server-side template injection\nTemplate injection occurs when user input is embedded in a template's code in an unsafe manner. An attacker can use native template syntax to inject a malicious payload into a template, which is then executed server-side. This permits the attacker to run arbitrary code in the server's context.\n\n\n## Recommendation\nTo fix this, ensure that untrusted input is not used as part of a template's code. If the application requirements do not allow this, use a sandboxed environment where access to unsafe attributes and methods is prohibited.\n\n\n## Example\nIn the example given below, an untrusted HTTP parameter `code` is used as a Velocity template string. This can lead to remote code execution.\n\n\n```java\n@Controller\npublic class VelocitySSTI {\n\n\t@GetMapping(value = \"bad\")\n\tpublic void bad(HttpServletRequest request) {\n\t\tVelocity.init();\n\n\t\tString code = request.getParameter(\"code\");\n\n\t\tVelocityContext context = new VelocityContext();\n\n\t\tcontext.put(\"name\", \"Velocity\");\n\t\tcontext.put(\"project\", \"Jakarta\");\n\n\t\tStringWriter w = new StringWriter();\n\t\t// evaluate( Context context, Writer out, String logTag, String instring )\n\t\tVelocity.evaluate(context, w, \"mystring\", code);\n\t}\n}\n\n```\nIn the next example, the problem is avoided by using a fixed template string `s`. Since the template's code is not attacker-controlled in this case, this solution prevents the execution of untrusted code.\n\n\n```java\n@Controller\npublic class VelocitySSTI {\n\n\t@GetMapping(value = \"good\")\n\tpublic void good(HttpServletRequest request) {\n\t\tVelocity.init();\n\t\tVelocityContext context = new VelocityContext();\n\n\t\tcontext.put(\"name\", \"Velocity\");\n\t\tcontext.put(\"project\", \"Jakarta\");\n\n\t\tString s = \"We are using $project $name to render this.\";\n\t\tStringWriter w = new StringWriter();\n\t\tVelocity.evaluate(context, w, \"mystring\", s);\n\t\tSystem.out.println(\" string : \" + w);\n\t}\n}\n\n```\n\n## References\n* Portswigger: [Server Side Template Injection](https://portswigger.net/web-security/server-side-template-injection).\n* Common Weakness Enumeration: [CWE-1336](https://cwe.mitre.org/data/definitions/1336.html).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n" + }, + "properties": { + "tags": [ + "external/cwe/cwe-094", + "external/cwe/cwe-1336", + "security" + ], + "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-094/TemplateInjection.ql", + "precision": "high", + "security-severity": "9.3" + } + }, + { + "id": "java/spel-expression-injection", + "name": "java/spel-expression-injection", + "shortDescription": { + "text": "Expression language injection (Spring)" + }, + "fullDescription": { + "text": "Evaluation of a user-controlled Spring Expression Language (SpEL) expression may lead to remote code execution." + }, + "defaultConfiguration": { + "level": "error" + }, + "help": { + "text": "# Expression language injection (Spring)\nThe Spring Expression Language (SpEL) is a powerful expression language provided by the Spring Framework. The language offers many features including invocation of methods available in the JVM. If a SpEL expression is built using attacker-controlled data, and then evaluated in a powerful context, then it may allow the attacker to run arbitrary code.\n\nThe `SpelExpressionParser` class parses a SpEL expression string and returns an `Expression` instance that can be then evaluated by calling one of its methods. By default, an expression is evaluated in a powerful `StandardEvaluationContext` that allows the expression to access other methods available in the JVM.\n\n\n## Recommendation\nIn general, including user input in a SpEL expression should be avoided. If user input must be included in the expression, it should be then evaluated in a limited context that doesn't allow arbitrary method invocation.\n\n\n## Example\nThe following example uses untrusted data to build a SpEL expression and then runs it in the default powerful context.\n\n\n```java\npublic Object evaluate(Socket socket) throws IOException {\n try (BufferedReader reader = new BufferedReader(\n new InputStreamReader(socket.getInputStream()))) {\n\n String string = reader.readLine();\n ExpressionParser parser = new SpelExpressionParser();\n Expression expression = parser.parseExpression(string);\n return expression.getValue();\n }\n}\n```\nThe next example shows how an untrusted SpEL expression can be run in `SimpleEvaluationContext` that doesn't allow accessing arbitrary methods. However, it's recommended to avoid using untrusted input in SpEL expressions.\n\n\n```java\npublic Object evaluate(Socket socket) throws IOException {\n try (BufferedReader reader = new BufferedReader(\n new InputStreamReader(socket.getInputStream()))) {\n\n String string = reader.readLine();\n ExpressionParser parser = new SpelExpressionParser();\n Expression expression = parser.parseExpression(string);\n SimpleEvaluationContext context \n = SimpleEvaluationContext.forReadWriteDataBinding().build();\n return expression.getValue(context);\n }\n}\n```\n\n## References\n* Spring Framework Reference Documentation: [Spring Expression Language (SpEL)](https://docs.spring.io/spring/docs/4.2.x/spring-framework-reference/html/expressions.html).\n* OWASP: [Expression Language Injection](https://owasp.org/www-community/vulnerabilities/Expression_Language_Injection).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n", + "markdown": "# Expression language injection (Spring)\nThe Spring Expression Language (SpEL) is a powerful expression language provided by the Spring Framework. The language offers many features including invocation of methods available in the JVM. If a SpEL expression is built using attacker-controlled data, and then evaluated in a powerful context, then it may allow the attacker to run arbitrary code.\n\nThe `SpelExpressionParser` class parses a SpEL expression string and returns an `Expression` instance that can be then evaluated by calling one of its methods. By default, an expression is evaluated in a powerful `StandardEvaluationContext` that allows the expression to access other methods available in the JVM.\n\n\n## Recommendation\nIn general, including user input in a SpEL expression should be avoided. If user input must be included in the expression, it should be then evaluated in a limited context that doesn't allow arbitrary method invocation.\n\n\n## Example\nThe following example uses untrusted data to build a SpEL expression and then runs it in the default powerful context.\n\n\n```java\npublic Object evaluate(Socket socket) throws IOException {\n try (BufferedReader reader = new BufferedReader(\n new InputStreamReader(socket.getInputStream()))) {\n\n String string = reader.readLine();\n ExpressionParser parser = new SpelExpressionParser();\n Expression expression = parser.parseExpression(string);\n return expression.getValue();\n }\n}\n```\nThe next example shows how an untrusted SpEL expression can be run in `SimpleEvaluationContext` that doesn't allow accessing arbitrary methods. However, it's recommended to avoid using untrusted input in SpEL expressions.\n\n\n```java\npublic Object evaluate(Socket socket) throws IOException {\n try (BufferedReader reader = new BufferedReader(\n new InputStreamReader(socket.getInputStream()))) {\n\n String string = reader.readLine();\n ExpressionParser parser = new SpelExpressionParser();\n Expression expression = parser.parseExpression(string);\n SimpleEvaluationContext context \n = SimpleEvaluationContext.forReadWriteDataBinding().build();\n return expression.getValue(context);\n }\n}\n```\n\n## References\n* Spring Framework Reference Documentation: [Spring Expression Language (SpEL)](https://docs.spring.io/spring/docs/4.2.x/spring-framework-reference/html/expressions.html).\n* OWASP: [Expression Language Injection](https://owasp.org/www-community/vulnerabilities/Expression_Language_Injection).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n" + }, + "properties": { + "tags": [ + "external/cwe/cwe-094", + "security" + ], + "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-094/SpelInjection.ql", + "precision": "high", + "security-severity": "9.3" + } + }, + { + "id": "java/spring-disabled-csrf-protection", + "name": "java/spring-disabled-csrf-protection", + "shortDescription": { + "text": "Disabled Spring CSRF protection" + }, + "fullDescription": { + "text": "Disabling CSRF protection makes the application vulnerable to a Cross-Site Request Forgery (CSRF) attack." + }, + "defaultConfiguration": { + "level": "error" + }, + "help": { + "text": "# Disabled Spring CSRF protection\nWhen you set up a web server to receive a request from a client without any mechanism for verifying that it was intentionally sent, then it is vulnerable to attack. An attacker can trick a client into making an unintended request to the web server that will be treated as an authentic request. This can be done via a URL, image load, XMLHttpRequest, etc. and can result in exposure of data or unintended code execution.\n\n\n## Recommendation\nWhen you use Spring, Cross-Site Request Forgery (CSRF) protection is enabled by default. Spring's recommendation is to use CSRF protection for any request that could be processed by a browser client by normal users.\n\n\n## Example\nThe following example shows the Spring Java configuration with CSRF protection disabled. This type of configuration should only be used if you are creating a service that is used only by non-browser clients.\n\n\n```java\nimport org.springframework.context.annotation.Configuration;\nimport org.springframework.security.config.annotation.web.builders.HttpSecurity;\nimport org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;\nimport org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;\n\n@EnableWebSecurity\n@Configuration\npublic class WebSecurityConfig extends WebSecurityConfigurerAdapter {\n @Override\n protected void configure(HttpSecurity http) throws Exception {\n http\n .csrf(csrf ->\n // BAD - CSRF protection shouldn't be disabled\n csrf.disable() \n );\n }\n}\n\n```\n\n## References\n* OWASP: [Cross-Site Request Forgery (CSRF)](https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)).\n* Spring Security Reference: [ Cross Site Request Forgery (CSRF) ](https://docs.spring.io/spring-security/reference/servlet/exploits/csrf.html).\n* Common Weakness Enumeration: [CWE-352](https://cwe.mitre.org/data/definitions/352.html).\n", + "markdown": "# Disabled Spring CSRF protection\nWhen you set up a web server to receive a request from a client without any mechanism for verifying that it was intentionally sent, then it is vulnerable to attack. An attacker can trick a client into making an unintended request to the web server that will be treated as an authentic request. This can be done via a URL, image load, XMLHttpRequest, etc. and can result in exposure of data or unintended code execution.\n\n\n## Recommendation\nWhen you use Spring, Cross-Site Request Forgery (CSRF) protection is enabled by default. Spring's recommendation is to use CSRF protection for any request that could be processed by a browser client by normal users.\n\n\n## Example\nThe following example shows the Spring Java configuration with CSRF protection disabled. This type of configuration should only be used if you are creating a service that is used only by non-browser clients.\n\n\n```java\nimport org.springframework.context.annotation.Configuration;\nimport org.springframework.security.config.annotation.web.builders.HttpSecurity;\nimport org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;\nimport org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;\n\n@EnableWebSecurity\n@Configuration\npublic class WebSecurityConfig extends WebSecurityConfigurerAdapter {\n @Override\n protected void configure(HttpSecurity http) throws Exception {\n http\n .csrf(csrf ->\n // BAD - CSRF protection shouldn't be disabled\n csrf.disable() \n );\n }\n}\n\n```\n\n## References\n* OWASP: [Cross-Site Request Forgery (CSRF)](https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)).\n* Spring Security Reference: [ Cross Site Request Forgery (CSRF) ](https://docs.spring.io/spring-security/reference/servlet/exploits/csrf.html).\n* Common Weakness Enumeration: [CWE-352](https://cwe.mitre.org/data/definitions/352.html).\n" + }, + "properties": { + "tags": [ + "external/cwe/cwe-352", + "security" + ], + "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-352/SpringCSRFProtection.ql", + "precision": "high", + "security-severity": "8.8" + } + }, + { + "id": "java/sql-injection", + "name": "java/sql-injection", + "shortDescription": { + "text": "Query built from user-controlled sources" + }, + "fullDescription": { + "text": "Building a SQL or Java Persistence query from user-controlled sources is vulnerable to insertion of malicious code by the user." + }, + "defaultConfiguration": { + "level": "error" + }, + "help": { + "text": "# Query built from user-controlled sources\nIf a database query is built using string concatenation, and the components of the concatenation include user input, a user is likely to be able to run malicious database queries. This applies to various database query languages, including SQL and the Java Persistence Query Language.\n\n\n## Recommendation\nUsually, it is better to use a SQL prepared statement than to build a complete SQL query with string concatenation. A prepared statement can include a wildcard, written as a question mark (?), for each part of the SQL query that is expected to be filled in by a different value each time it is run. When the query is later executed, a value must be supplied for each wildcard in the query.\n\nIn the Java Persistence Query Language, it is better to use queries with parameters than to build a complete query with string concatenation. A Java Persistence query can include a parameter placeholder for each part of the query that is expected to be filled in by a different value when run. A parameter placeholder may be indicated by a colon (:) followed by a parameter name, or by a question mark (?) followed by an integer position. When the query is later executed, a value must be supplied for each parameter in the query, using the `setParameter` method. Specifying the query using the `@NamedQuery` annotation introduces an additional level of safety: the query must be a constant string literal, preventing construction by string concatenation, and the only way to fill in values for parts of the query is by setting positional parameters.\n\nIt is good practice to use prepared statements (in SQL) or query parameters (in the Java Persistence Query Language) for supplying parameter values to a query, whether or not any of the parameters are directly traceable to user input. Doing so avoids any need to worry about quoting and escaping.\n\n\n## Example\nIn the following example, the code runs a simple SQL query in two different ways.\n\nThe first way involves building a query, `query1`, by concatenating an environment variable with some string literals. The environment variable can include special characters, so this code allows for SQL injection attacks.\n\nThe second way, which shows good practice, involves building a query, `query2`, with a single string literal that includes a wildcard (`?`). The wildcard is then given a value by calling `setString`. This version is immune to injection attacks, because any special characters in the environment variable are not given any special treatment.\n\n\n```java\n{\n // BAD: the category might have SQL special characters in it\n String category = System.getenv(\"ITEM_CATEGORY\");\n Statement statement = connection.createStatement();\n String query1 = \"SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='\"\n + category + \"' ORDER BY PRICE\";\n ResultSet results = statement.executeQuery(query1);\n}\n\n{\n // GOOD: use a prepared query\n String category = System.getenv(\"ITEM_CATEGORY\");\n String query2 = \"SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY=? ORDER BY PRICE\";\n PreparedStatement statement = connection.prepareStatement(query2);\n statement.setString(1, category);\n ResultSet results = statement.executeQuery();\n}\n```\n\n## Example\nThe following code shows several different ways to run a Java Persistence query.\n\nThe first example involves building a query, `query1`, by concatenating an environment variable with some string literals. Just like the SQL example, the environment variable can include special characters, so this code allows for Java Persistence query injection attacks.\n\nThe remaining examples demonstrate different methods for safely building a Java Persistence query with user-supplied values:\n\n1. `query2` uses a single string literal that includes a placeholder for a parameter, indicated by a colon (`:`) and parameter name (`category`).\n1. `query3` uses a single string literal that includes a placeholder for a parameter, indicated by a question mark (`?`) and position number (`1`).\n1. `namedQuery1` is defined using the `@NamedQuery` annotation, whose `query` attribute is a string literal that includes a placeholder for a parameter, indicated by a colon (`:`) and parameter name (`category`).\n1. `namedQuery2` is defined using the `@NamedQuery` annotation, whose `query` attribute includes a placeholder for a parameter, indicated by a question mark (`?`) and position number (`1`).\nThe parameter is then given a value by calling `setParameter`. These versions are immune to injection attacks, because any special characters in the environment variable or user-supplied value are not given any special treatment.\n\n\n```java\n{\n // BAD: the category might have Java Persistence Query Language special characters in it\n String category = System.getenv(\"ITEM_CATEGORY\");\n Statement statement = connection.createStatement();\n String query1 = \"SELECT p FROM Product p WHERE p.category LIKE '\"\n + category + \"' ORDER BY p.price\";\n Query q = entityManager.createQuery(query1);\n}\n\n{\n // GOOD: use a named parameter and set its value\n String category = System.getenv(\"ITEM_CATEGORY\");\n String query2 = \"SELECT p FROM Product p WHERE p.category LIKE :category ORDER BY p.price\"\n Query q = entityManager.createQuery(query2);\n q.setParameter(\"category\", category);\n}\n\n{\n // GOOD: use a positional parameter and set its value\n String category = System.getenv(\"ITEM_CATEGORY\");\n String query3 = \"SELECT p FROM Product p WHERE p.category LIKE ?1 ORDER BY p.price\"\n Query q = entityManager.createQuery(query3);\n q.setParameter(1, category);\n}\n\n{\n // GOOD: use a named query with a named parameter and set its value\n @NamedQuery(\n name=\"lookupByCategory\",\n query=\"SELECT p FROM Product p WHERE p.category LIKE :category ORDER BY p.price\")\n private static class NQ {}\n ...\n String category = System.getenv(\"ITEM_CATEGORY\");\n Query namedQuery1 = entityManager.createNamedQuery(\"lookupByCategory\");\n namedQuery1.setParameter(\"category\", category);\n}\n\n{\n // GOOD: use a named query with a positional parameter and set its value\n @NamedQuery(\n name=\"lookupByCategory\",\n query=\"SELECT p FROM Product p WHERE p.category LIKE ?1 ORDER BY p.price\")\n private static class NQ {}\n ...\n String category = System.getenv(\"ITEM_CATEGORY\");\n Query namedQuery2 = entityManager.createNamedQuery(\"lookupByCategory\");\n namedQuery2.setParameter(1, category);\n}\n```\n\n## References\n* OWASP: [SQL Injection Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html).\n* SEI CERT Oracle Coding Standard for Java: [IDS00-J. Prevent SQL injection](https://wiki.sei.cmu.edu/confluence/display/java/IDS00-J.+Prevent+SQL+injection).\n* The Java Tutorials: [Using Prepared Statements](https://docs.oracle.com/javase/tutorial/jdbc/basics/prepared.html).\n* The Java EE Tutorial: [The Java Persistence Query Language](https://docs.oracle.com/javaee/7/tutorial/persistence-querylanguage.htm).\n* Common Weakness Enumeration: [CWE-89](https://cwe.mitre.org/data/definitions/89.html).\n* Common Weakness Enumeration: [CWE-564](https://cwe.mitre.org/data/definitions/564.html).\n", + "markdown": "# Query built from user-controlled sources\nIf a database query is built using string concatenation, and the components of the concatenation include user input, a user is likely to be able to run malicious database queries. This applies to various database query languages, including SQL and the Java Persistence Query Language.\n\n\n## Recommendation\nUsually, it is better to use a SQL prepared statement than to build a complete SQL query with string concatenation. A prepared statement can include a wildcard, written as a question mark (?), for each part of the SQL query that is expected to be filled in by a different value each time it is run. When the query is later executed, a value must be supplied for each wildcard in the query.\n\nIn the Java Persistence Query Language, it is better to use queries with parameters than to build a complete query with string concatenation. A Java Persistence query can include a parameter placeholder for each part of the query that is expected to be filled in by a different value when run. A parameter placeholder may be indicated by a colon (:) followed by a parameter name, or by a question mark (?) followed by an integer position. When the query is later executed, a value must be supplied for each parameter in the query, using the `setParameter` method. Specifying the query using the `@NamedQuery` annotation introduces an additional level of safety: the query must be a constant string literal, preventing construction by string concatenation, and the only way to fill in values for parts of the query is by setting positional parameters.\n\nIt is good practice to use prepared statements (in SQL) or query parameters (in the Java Persistence Query Language) for supplying parameter values to a query, whether or not any of the parameters are directly traceable to user input. Doing so avoids any need to worry about quoting and escaping.\n\n\n## Example\nIn the following example, the code runs a simple SQL query in two different ways.\n\nThe first way involves building a query, `query1`, by concatenating an environment variable with some string literals. The environment variable can include special characters, so this code allows for SQL injection attacks.\n\nThe second way, which shows good practice, involves building a query, `query2`, with a single string literal that includes a wildcard (`?`). The wildcard is then given a value by calling `setString`. This version is immune to injection attacks, because any special characters in the environment variable are not given any special treatment.\n\n\n```java\n{\n // BAD: the category might have SQL special characters in it\n String category = System.getenv(\"ITEM_CATEGORY\");\n Statement statement = connection.createStatement();\n String query1 = \"SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='\"\n + category + \"' ORDER BY PRICE\";\n ResultSet results = statement.executeQuery(query1);\n}\n\n{\n // GOOD: use a prepared query\n String category = System.getenv(\"ITEM_CATEGORY\");\n String query2 = \"SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY=? ORDER BY PRICE\";\n PreparedStatement statement = connection.prepareStatement(query2);\n statement.setString(1, category);\n ResultSet results = statement.executeQuery();\n}\n```\n\n## Example\nThe following code shows several different ways to run a Java Persistence query.\n\nThe first example involves building a query, `query1`, by concatenating an environment variable with some string literals. Just like the SQL example, the environment variable can include special characters, so this code allows for Java Persistence query injection attacks.\n\nThe remaining examples demonstrate different methods for safely building a Java Persistence query with user-supplied values:\n\n1. `query2` uses a single string literal that includes a placeholder for a parameter, indicated by a colon (`:`) and parameter name (`category`).\n1. `query3` uses a single string literal that includes a placeholder for a parameter, indicated by a question mark (`?`) and position number (`1`).\n1. `namedQuery1` is defined using the `@NamedQuery` annotation, whose `query` attribute is a string literal that includes a placeholder for a parameter, indicated by a colon (`:`) and parameter name (`category`).\n1. `namedQuery2` is defined using the `@NamedQuery` annotation, whose `query` attribute includes a placeholder for a parameter, indicated by a question mark (`?`) and position number (`1`).\nThe parameter is then given a value by calling `setParameter`. These versions are immune to injection attacks, because any special characters in the environment variable or user-supplied value are not given any special treatment.\n\n\n```java\n{\n // BAD: the category might have Java Persistence Query Language special characters in it\n String category = System.getenv(\"ITEM_CATEGORY\");\n Statement statement = connection.createStatement();\n String query1 = \"SELECT p FROM Product p WHERE p.category LIKE '\"\n + category + \"' ORDER BY p.price\";\n Query q = entityManager.createQuery(query1);\n}\n\n{\n // GOOD: use a named parameter and set its value\n String category = System.getenv(\"ITEM_CATEGORY\");\n String query2 = \"SELECT p FROM Product p WHERE p.category LIKE :category ORDER BY p.price\"\n Query q = entityManager.createQuery(query2);\n q.setParameter(\"category\", category);\n}\n\n{\n // GOOD: use a positional parameter and set its value\n String category = System.getenv(\"ITEM_CATEGORY\");\n String query3 = \"SELECT p FROM Product p WHERE p.category LIKE ?1 ORDER BY p.price\"\n Query q = entityManager.createQuery(query3);\n q.setParameter(1, category);\n}\n\n{\n // GOOD: use a named query with a named parameter and set its value\n @NamedQuery(\n name=\"lookupByCategory\",\n query=\"SELECT p FROM Product p WHERE p.category LIKE :category ORDER BY p.price\")\n private static class NQ {}\n ...\n String category = System.getenv(\"ITEM_CATEGORY\");\n Query namedQuery1 = entityManager.createNamedQuery(\"lookupByCategory\");\n namedQuery1.setParameter(\"category\", category);\n}\n\n{\n // GOOD: use a named query with a positional parameter and set its value\n @NamedQuery(\n name=\"lookupByCategory\",\n query=\"SELECT p FROM Product p WHERE p.category LIKE ?1 ORDER BY p.price\")\n private static class NQ {}\n ...\n String category = System.getenv(\"ITEM_CATEGORY\");\n Query namedQuery2 = entityManager.createNamedQuery(\"lookupByCategory\");\n namedQuery2.setParameter(1, category);\n}\n```\n\n## References\n* OWASP: [SQL Injection Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html).\n* SEI CERT Oracle Coding Standard for Java: [IDS00-J. Prevent SQL injection](https://wiki.sei.cmu.edu/confluence/display/java/IDS00-J.+Prevent+SQL+injection).\n* The Java Tutorials: [Using Prepared Statements](https://docs.oracle.com/javase/tutorial/jdbc/basics/prepared.html).\n* The Java EE Tutorial: [The Java Persistence Query Language](https://docs.oracle.com/javaee/7/tutorial/persistence-querylanguage.htm).\n* Common Weakness Enumeration: [CWE-89](https://cwe.mitre.org/data/definitions/89.html).\n* Common Weakness Enumeration: [CWE-564](https://cwe.mitre.org/data/definitions/564.html).\n" + }, + "properties": { + "tags": [ + "external/cwe/cwe-089", + "external/cwe/cwe-564", + "security" + ], + "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-089/SqlTainted.ql", + "precision": "high", + "security-severity": "8.8" + } + }, + { + "id": "java/ssrf", + "name": "java/ssrf", + "shortDescription": { + "text": "Server-side request forgery" + }, + "fullDescription": { + "text": "Making web requests based on unvalidated user-input may cause the server to communicate with malicious servers." + }, + "defaultConfiguration": { + "level": "error" + }, + "help": { + "text": "# Server-side request forgery\nDirectly incorporating user input into an HTTP request without validating the input can facilitate server-side request forgery (SSRF) attacks. In these attacks, the server may be tricked into making a request and interacting with an attacker-controlled server.\n\n\n## Recommendation\nTo guard against SSRF attacks, you should avoid putting user-provided input directly into a request URL. Instead, maintain a list of authorized URLs on the server; then choose from that list based on the input provided. Alternatively, ensure requests constructed from user input are limited to a particular host or more restrictive URL prefix.\n\n\n## Example\nThe following example shows an HTTP request parameter being used directly to form a new request without validating the input, which facilitates SSRF attacks. It also shows how to remedy the problem by validating the user input against a known fixed string.\n\n\n```java\nimport java.net.http.HttpClient;\n\npublic class SSRF extends HttpServlet {\n\tprivate static final String VALID_URI = \"http://lgtm.com\";\n\tprivate HttpClient client = HttpClient.newHttpClient();\n\n\tprotected void doGet(HttpServletRequest request, HttpServletResponse response)\n\t\tthrows ServletException, IOException {\n\t\tURI uri = new URI(request.getParameter(\"uri\"));\n\t\t// BAD: a request parameter is incorporated without validation into a Http request\n\t\tHttpRequest r = HttpRequest.newBuilder(uri).build();\n\t\tclient.send(r, null);\n\n\t\t// GOOD: the request parameter is validated against a known fixed string\n\t\tif (VALID_URI.equals(request.getParameter(\"uri\"))) {\n\t\t\tHttpRequest r2 = HttpRequest.newBuilder(uri).build();\n\t\t\tclient.send(r2, null);\n\t\t}\n\t}\n}\n\n```\n\n## References\n* [OWASP SSRF](https://owasp.org/www-community/attacks/Server_Side_Request_Forgery)\n* Common Weakness Enumeration: [CWE-918](https://cwe.mitre.org/data/definitions/918.html).\n", + "markdown": "# Server-side request forgery\nDirectly incorporating user input into an HTTP request without validating the input can facilitate server-side request forgery (SSRF) attacks. In these attacks, the server may be tricked into making a request and interacting with an attacker-controlled server.\n\n\n## Recommendation\nTo guard against SSRF attacks, you should avoid putting user-provided input directly into a request URL. Instead, maintain a list of authorized URLs on the server; then choose from that list based on the input provided. Alternatively, ensure requests constructed from user input are limited to a particular host or more restrictive URL prefix.\n\n\n## Example\nThe following example shows an HTTP request parameter being used directly to form a new request without validating the input, which facilitates SSRF attacks. It also shows how to remedy the problem by validating the user input against a known fixed string.\n\n\n```java\nimport java.net.http.HttpClient;\n\npublic class SSRF extends HttpServlet {\n\tprivate static final String VALID_URI = \"http://lgtm.com\";\n\tprivate HttpClient client = HttpClient.newHttpClient();\n\n\tprotected void doGet(HttpServletRequest request, HttpServletResponse response)\n\t\tthrows ServletException, IOException {\n\t\tURI uri = new URI(request.getParameter(\"uri\"));\n\t\t// BAD: a request parameter is incorporated without validation into a Http request\n\t\tHttpRequest r = HttpRequest.newBuilder(uri).build();\n\t\tclient.send(r, null);\n\n\t\t// GOOD: the request parameter is validated against a known fixed string\n\t\tif (VALID_URI.equals(request.getParameter(\"uri\"))) {\n\t\t\tHttpRequest r2 = HttpRequest.newBuilder(uri).build();\n\t\t\tclient.send(r2, null);\n\t\t}\n\t}\n}\n\n```\n\n## References\n* [OWASP SSRF](https://owasp.org/www-community/attacks/Server_Side_Request_Forgery)\n* Common Weakness Enumeration: [CWE-918](https://cwe.mitre.org/data/definitions/918.html).\n" + }, + "properties": { + "tags": [ + "external/cwe/cwe-918", + "security" + ], + "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-918/RequestForgery.ql", + "precision": "high", + "security-severity": "9.1" + } + }, + { + "id": "java/stack-trace-exposure", + "name": "java/stack-trace-exposure", + "shortDescription": { + "text": "Information exposure through a stack trace" + }, + "fullDescription": { + "text": "Information from a stack trace propagates to an external user. Stack traces can unintentionally reveal implementation details that are useful to an attacker for developing a subsequent exploit." + }, + "defaultConfiguration": { + "level": "error" + }, + "help": { + "text": "# Information exposure through a stack trace\nSoftware developers often add stack traces to error messages, as a debugging aid. Whenever that error message occurs for an end user, the developer can use the stack trace to help identify how to fix the problem. In particular, stack traces can tell the developer more about the sequence of events that led to a failure, as opposed to merely the final state of the software when the error occurred.\n\nUnfortunately, the same information can be useful to an attacker. The sequence of class names in a stack trace can reveal the structure of the application as well as any internal components it relies on.\n\n\n## Recommendation\nSend the user a more generic error message that reveals less information. Either suppress the stack trace entirely, or log it only on the server.\n\n\n## Example\nIn the following example, an exception is handled in two different ways. In the first version, labeled BAD, the exception is sent back to the remote user using the `sendError()` method. As such, the user is able to see a detailed stack trace, which may contain sensitive information. In the second version, the error message is logged only on the server. That way, the developers can still access and use the error log, but remote users will not see the information.\n\n\n```java\nprotected void doGet(HttpServletRequest request, HttpServletResponse response) {\n\ttry {\n\t\tdoSomeWork();\n\t} catch (NullPointerException ex) {\n\t\t// BAD: printing a stack trace back to the response\n\t\tex.printStackTrace(response.getWriter());\n\t\treturn;\n\t}\n\n\ttry {\n\t\tdoSomeWork();\n\t} catch (NullPointerException ex) {\n\t\t// GOOD: log the stack trace, and send back a non-revealing response\n\t\tlog(\"Exception occurred\", ex);\n\t\tresponse.sendError(\n\t\t\tHttpServletResponse.SC_INTERNAL_SERVER_ERROR,\n\t\t\t\"Exception occurred\");\n\t\treturn;\n\t}\n}\n\n```\n\n## References\n* OWASP: [Improper Error Handling](https://owasp.org/www-community/Improper_Error_Handling).\n* CERT Java Coding Standard: [ERR01-J. Do not allow exceptions to expose sensitive information](https://www.securecoding.cert.org/confluence/display/java/ERR01-J.+Do+not+allow+exceptions+to+expose+sensitive+information).\n* Common Weakness Enumeration: [CWE-209](https://cwe.mitre.org/data/definitions/209.html).\n* Common Weakness Enumeration: [CWE-497](https://cwe.mitre.org/data/definitions/497.html).\n", + "markdown": "# Information exposure through a stack trace\nSoftware developers often add stack traces to error messages, as a debugging aid. Whenever that error message occurs for an end user, the developer can use the stack trace to help identify how to fix the problem. In particular, stack traces can tell the developer more about the sequence of events that led to a failure, as opposed to merely the final state of the software when the error occurred.\n\nUnfortunately, the same information can be useful to an attacker. The sequence of class names in a stack trace can reveal the structure of the application as well as any internal components it relies on.\n\n\n## Recommendation\nSend the user a more generic error message that reveals less information. Either suppress the stack trace entirely, or log it only on the server.\n\n\n## Example\nIn the following example, an exception is handled in two different ways. In the first version, labeled BAD, the exception is sent back to the remote user using the `sendError()` method. As such, the user is able to see a detailed stack trace, which may contain sensitive information. In the second version, the error message is logged only on the server. That way, the developers can still access and use the error log, but remote users will not see the information.\n\n\n```java\nprotected void doGet(HttpServletRequest request, HttpServletResponse response) {\n\ttry {\n\t\tdoSomeWork();\n\t} catch (NullPointerException ex) {\n\t\t// BAD: printing a stack trace back to the response\n\t\tex.printStackTrace(response.getWriter());\n\t\treturn;\n\t}\n\n\ttry {\n\t\tdoSomeWork();\n\t} catch (NullPointerException ex) {\n\t\t// GOOD: log the stack trace, and send back a non-revealing response\n\t\tlog(\"Exception occurred\", ex);\n\t\tresponse.sendError(\n\t\t\tHttpServletResponse.SC_INTERNAL_SERVER_ERROR,\n\t\t\t\"Exception occurred\");\n\t\treturn;\n\t}\n}\n\n```\n\n## References\n* OWASP: [Improper Error Handling](https://owasp.org/www-community/Improper_Error_Handling).\n* CERT Java Coding Standard: [ERR01-J. Do not allow exceptions to expose sensitive information](https://www.securecoding.cert.org/confluence/display/java/ERR01-J.+Do+not+allow+exceptions+to+expose+sensitive+information).\n* Common Weakness Enumeration: [CWE-209](https://cwe.mitre.org/data/definitions/209.html).\n* Common Weakness Enumeration: [CWE-497](https://cwe.mitre.org/data/definitions/497.html).\n" + }, + "properties": { + "tags": [ + "external/cwe/cwe-209", + "external/cwe/cwe-497", + "security" + ], + "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-209/StackTraceExposure.ql", + "precision": "high", + "security-severity": "5.4" + } + }, + { + "id": "java/static-initialization-vector", + "name": "java/static-initialization-vector", + "shortDescription": { + "text": "Using a static initialization vector for encryption" + }, + "fullDescription": { + "text": "An initialization vector (IV) used for ciphers of certain modes (such as CBC or GCM) should be unique and unpredictable, to maximize encryption and prevent dictionary attacks." + }, + "defaultConfiguration": {}, + "help": { + "text": "# Using a static initialization vector for encryption\nWhen a cipher is used in certain modes such as CBC or GCM, it requires an initialization vector (IV). Under the same secret key, IVs should be unique and ideally unpredictable. If the same IV is used with the same secret key, then the same plaintext results in the same ciphertext. This can let an attacker learn if the same data pieces are transferred or stored, or help the attacker run a dictionary attack.\n\n\n## Recommendation\nUse a random IV generated by `SecureRandom`.\n\n\n## Example\nThe following example initializes a cipher with a static IV, which is unsafe:\n\n\n```java\nbyte[] iv = new byte[16]; // all zeroes\nGCMParameterSpec params = new GCMParameterSpec(128, iv);\nCipher cipher = Cipher.getInstance(\"AES/GCM/PKCS5PADDING\");\ncipher.init(Cipher.ENCRYPT_MODE, key, params);\n```\nThe next example initializes a cipher with a random IV:\n\n\n```java\nbyte[] iv = new byte[16];\nSecureRandom random = SecureRandom.getInstanceStrong();\nrandom.nextBytes(iv);\nGCMParameterSpec params = new GCMParameterSpec(128, iv);\nCipher cipher = Cipher.getInstance(\"AES/GCM/PKCS5PADDING\");\ncipher.init(Cipher.ENCRYPT_MODE, key, params);\n```\n\n## References\n* Wikipedia: [Initialization vector](https://en.wikipedia.org/wiki/Initialization_vector).\n* National Institute of Standards and Technology: [Recommendation for Block Cipher Modes of Operation](https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38a.pdf).\n* National Institute of Standards and Technology: [FIPS 140-2: Security Requirements for Cryptographic Modules](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf).\n* Common Weakness Enumeration: [CWE-329](https://cwe.mitre.org/data/definitions/329.html).\n* Common Weakness Enumeration: [CWE-1204](https://cwe.mitre.org/data/definitions/1204.html).\n", + "markdown": "# Using a static initialization vector for encryption\nWhen a cipher is used in certain modes such as CBC or GCM, it requires an initialization vector (IV). Under the same secret key, IVs should be unique and ideally unpredictable. If the same IV is used with the same secret key, then the same plaintext results in the same ciphertext. This can let an attacker learn if the same data pieces are transferred or stored, or help the attacker run a dictionary attack.\n\n\n## Recommendation\nUse a random IV generated by `SecureRandom`.\n\n\n## Example\nThe following example initializes a cipher with a static IV, which is unsafe:\n\n\n```java\nbyte[] iv = new byte[16]; // all zeroes\nGCMParameterSpec params = new GCMParameterSpec(128, iv);\nCipher cipher = Cipher.getInstance(\"AES/GCM/PKCS5PADDING\");\ncipher.init(Cipher.ENCRYPT_MODE, key, params);\n```\nThe next example initializes a cipher with a random IV:\n\n\n```java\nbyte[] iv = new byte[16];\nSecureRandom random = SecureRandom.getInstanceStrong();\nrandom.nextBytes(iv);\nGCMParameterSpec params = new GCMParameterSpec(128, iv);\nCipher cipher = Cipher.getInstance(\"AES/GCM/PKCS5PADDING\");\ncipher.init(Cipher.ENCRYPT_MODE, key, params);\n```\n\n## References\n* Wikipedia: [Initialization vector](https://en.wikipedia.org/wiki/Initialization_vector).\n* National Institute of Standards and Technology: [Recommendation for Block Cipher Modes of Operation](https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38a.pdf).\n* National Institute of Standards and Technology: [FIPS 140-2: Security Requirements for Cryptographic Modules](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf).\n* Common Weakness Enumeration: [CWE-329](https://cwe.mitre.org/data/definitions/329.html).\n* Common Weakness Enumeration: [CWE-1204](https://cwe.mitre.org/data/definitions/1204.html).\n" + }, + "properties": { + "tags": [ + "external/cwe/cwe-1204", + "external/cwe/cwe-329", + "security" + ], + "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-1204/StaticInitializationVector.ql", + "precision": "high", + "security-severity": "7.5" + } + }, + { + "id": "java/summary/lines-of-code", + "name": "java/summary/lines-of-code", + "shortDescription": { + "text": "Total lines of Java/Kotlin code in the database" + }, + "fullDescription": { + "text": "The total number of lines of code across all Java and Kotlin files. This is a useful metric of the size of a database. For all source files that were seen during the build, this query counts the lines of code, excluding whitespace or comments." + }, + "defaultConfiguration": {}, + "properties": { + "tags": [ + "debug", + "lines-of-code", + "summary" + ] + } + }, + { + "id": "java/summary/lines-of-code-java", + "name": "java/summary/lines-of-code-java", + "shortDescription": { + "text": "Total lines of Java code in the database" + }, + "fullDescription": { + "text": "The total number of lines of code across all Java files. This is a useful metric of the size of a database. For all Java files that were seen during the build, this query counts the lines of code, excluding whitespace or comments." + }, + "defaultConfiguration": {}, + "properties": { + "tags": [ + "debug", + "summary" + ] + } + }, + { + "id": "java/summary/lines-of-code-kotlin", + "name": "java/summary/lines-of-code-kotlin", + "shortDescription": { + "text": "Total lines of Kotlin code in the database" + }, + "fullDescription": { + "text": "The total number of lines of code across all Kotlin files. This is a useful metric of the size of a database. For all Kotlin files that were seen during the build, this query counts the lines of code, excluding whitespace or comments." + }, + "defaultConfiguration": {}, + "properties": { + "tags": [ + "debug", + "summary" + ] + } + }, + { + "id": "java/tainted-format-string", + "name": "java/tainted-format-string", + "shortDescription": { + "text": "Use of externally-controlled format string" + }, + "fullDescription": { + "text": "Using external input in format strings can lead to exceptions or information leaks." + }, + "defaultConfiguration": { + "level": "error" + }, + "help": { + "text": "# Use of externally-controlled format string\nThe `String.format` method and related methods, like `PrintStream.printf` and `Formatter.format`, all accept a format string that is used to format the trailing arguments to the format call by providing inline format specifiers. If the format string contains unsanitized input from an untrusted source, then that string may contain extra format specifiers that cause an exception to be thrown or information to be leaked.\n\nThe Java standard library implementation for the format methods throws an exception if either the format specifier does not match the type of the argument, or if there are too few or too many arguments. If unsanitized input is used in the format string, it may contain invalid extra format specifiers which cause an exception to be thrown.\n\nPositional format specifiers may be used to access an argument to the format call by position. Unsanitized input in the format string may use a positional format specifier to access information that was not intended to be visible. For example, when formatting a Calendar instance we may intend to print only the year, but a user-specified format string may include a specifier to access the month and day.\n\n\n## Recommendation\nIf the argument passed as a format string is meant to be a plain string rather than a format string, then pass `%s` as the format string, and pass the original argument as the sole trailing argument.\n\n\n## Example\nThe following program is meant to check a card security code for a stored credit card:\n\n\n```java\npublic class ResponseSplitting extends HttpServlet {\n protected void doGet(HttpServletRequest request, HttpServletResponse response)\n throws ServletException, IOException {\n Calendar expirationDate = new GregorianCalendar(2017, GregorianCalendar.SEPTEMBER, 1);\n // User provided value\n String cardSecurityCode = request.getParameter(\"cardSecurityCode\");\n \n if (notValid(cardSecurityCode)) {\n \n /*\n * BAD: user provided value is included in the format string.\n * A malicious user could provide an extra format specifier, which causes an\n * exception to be thrown. Or they could provide a %1$tm or %1$te format specifier to\n * access the month or day of the expiration date.\n */\n System.out.format(cardSecurityCode +\n \" is not the right value. Hint: the card expires in %1$ty.\",\n expirationDate);\n \n // GOOD: %s is used to include the user-provided cardSecurityCode in the output\n System.out.format(\"%s is not the right value. Hint: the card expires in %2$ty.\",\n cardSecurityCode,\n expirationDate);\n }\n\n }\n}\n```\nHowever, in the first format call it uses the cardSecurityCode provided by the user in a format string. If the user includes a format specifier in the cardSecurityCode field, they may be able to cause an exception to be thrown, or to be able to access extra information about the stored card expiration date.\n\nThe second format call shows the correct approach. The user-provided value is passed as an argument to the format call. This prevents any format specifiers in the user provided value from being evaluated.\n\n\n## References\n* SEI CERT Oracle Coding Standard for Java: [IDS06-J. Exclude unsanitized user input from format strings](https://wiki.sei.cmu.edu/confluence/display/java/IDS06-J.+Exclude+unsanitized+user+input+from+format+strings).\n* The Java Tutorials: [Formatting Numeric Print Output](https://docs.oracle.com/javase/tutorial/java/data/numberformat.html).\n* Java API Specification: [Formatter](https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/util/Formatter.html).\n* Common Weakness Enumeration: [CWE-134](https://cwe.mitre.org/data/definitions/134.html).\n", + "markdown": "# Use of externally-controlled format string\nThe `String.format` method and related methods, like `PrintStream.printf` and `Formatter.format`, all accept a format string that is used to format the trailing arguments to the format call by providing inline format specifiers. If the format string contains unsanitized input from an untrusted source, then that string may contain extra format specifiers that cause an exception to be thrown or information to be leaked.\n\nThe Java standard library implementation for the format methods throws an exception if either the format specifier does not match the type of the argument, or if there are too few or too many arguments. If unsanitized input is used in the format string, it may contain invalid extra format specifiers which cause an exception to be thrown.\n\nPositional format specifiers may be used to access an argument to the format call by position. Unsanitized input in the format string may use a positional format specifier to access information that was not intended to be visible. For example, when formatting a Calendar instance we may intend to print only the year, but a user-specified format string may include a specifier to access the month and day.\n\n\n## Recommendation\nIf the argument passed as a format string is meant to be a plain string rather than a format string, then pass `%s` as the format string, and pass the original argument as the sole trailing argument.\n\n\n## Example\nThe following program is meant to check a card security code for a stored credit card:\n\n\n```java\npublic class ResponseSplitting extends HttpServlet {\n protected void doGet(HttpServletRequest request, HttpServletResponse response)\n throws ServletException, IOException {\n Calendar expirationDate = new GregorianCalendar(2017, GregorianCalendar.SEPTEMBER, 1);\n // User provided value\n String cardSecurityCode = request.getParameter(\"cardSecurityCode\");\n \n if (notValid(cardSecurityCode)) {\n \n /*\n * BAD: user provided value is included in the format string.\n * A malicious user could provide an extra format specifier, which causes an\n * exception to be thrown. Or they could provide a %1$tm or %1$te format specifier to\n * access the month or day of the expiration date.\n */\n System.out.format(cardSecurityCode +\n \" is not the right value. Hint: the card expires in %1$ty.\",\n expirationDate);\n \n // GOOD: %s is used to include the user-provided cardSecurityCode in the output\n System.out.format(\"%s is not the right value. Hint: the card expires in %2$ty.\",\n cardSecurityCode,\n expirationDate);\n }\n\n }\n}\n```\nHowever, in the first format call it uses the cardSecurityCode provided by the user in a format string. If the user includes a format specifier in the cardSecurityCode field, they may be able to cause an exception to be thrown, or to be able to access extra information about the stored card expiration date.\n\nThe second format call shows the correct approach. The user-provided value is passed as an argument to the format call. This prevents any format specifiers in the user provided value from being evaluated.\n\n\n## References\n* SEI CERT Oracle Coding Standard for Java: [IDS06-J. Exclude unsanitized user input from format strings](https://wiki.sei.cmu.edu/confluence/display/java/IDS06-J.+Exclude+unsanitized+user+input+from+format+strings).\n* The Java Tutorials: [Formatting Numeric Print Output](https://docs.oracle.com/javase/tutorial/java/data/numberformat.html).\n* Java API Specification: [Formatter](https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/util/Formatter.html).\n* Common Weakness Enumeration: [CWE-134](https://cwe.mitre.org/data/definitions/134.html).\n" + }, + "properties": { + "tags": [ + "external/cwe/cwe-134", + "security" + ], + "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-134/ExternallyControlledFormatString.ql", + "precision": "high", + "security-severity": "9.3" + } + }, + { + "id": "java/tainted-numeric-cast", + "name": "java/tainted-numeric-cast", + "shortDescription": { + "text": "User-controlled data in numeric cast" + }, + "fullDescription": { + "text": "Casting user-controlled numeric data to a narrower type without validation can cause unexpected truncation." + }, + "defaultConfiguration": { + "level": "error" + }, + "help": { + "text": "# User-controlled data in numeric cast\nCasting a user-controlled numeric value to a narrower type can result in truncated values unless the input is validated.\n\nNarrowing conversions may cause potentially unintended results. For example, casting the positive integer value `128` to type `byte` yields the negative value `-128`.\n\n\n## Recommendation\nGuard against unexpected truncation of user-controlled arithmetic data by doing one of the following:\n\n* Validate the user input.\n* Define a guard on the cast expression, so that the cast is performed only if the input is known to be within the range of the resulting type.\n* Avoid casting to a narrower type, and instead continue to use a wider type.\n\n## Example\nIn this example, a value is read from standard input into a `long`. Because the value is a user-controlled value, it could be extremely large. Casting this value to a narrower type could therefore cause unexpected truncation. The `scaled2` example uses a guard to avoid this problem and checks the range of the input before performing the cast. If the value is too large to cast to type `int` it is rejected as invalid.\n\n\n```java\nclass Test {\n\tpublic static void main(String[] args) throws IOException {\n\t\t{\n\t\t\tlong data;\n\n\t\t\tBufferedReader readerBuffered = new BufferedReader(\n\t\t\t\t\tnew InputStreamReader(System.in, \"UTF-8\"));\n\t\t\tString stringNumber = readerBuffered.readLine();\n\t\t\tif (stringNumber != null) {\n\t\t\t\tdata = Long.parseLong(stringNumber.trim());\n\t\t\t} else {\n\t\t\t\tdata = 0;\n\t\t\t}\n\n\t\t\t// AVOID: potential truncation if input data is very large,\n\t\t\t// for example 'Long.MAX_VALUE'\n\t\t\tint scaled = (int)data;\n\n\t\t\t//...\n\n\t\t\t// GOOD: use a guard to ensure no truncation occurs\n\t\t\tint scaled2;\n\t\t\tif (data > Integer.MIN_VALUE && data < Integer.MAX_VALUE)\n\t\t\t\tscaled2 = (int)data;\n\t\t\telse\n\t\t\t\tthrow new IllegalArgumentException(\"Invalid input\");\n\t\t}\n\t}\n}\n```\n\n## References\n* SEI CERT Oracle Coding Standard for Java: [NUM12-J. Ensure conversions of numeric types to narrower types do not result in lost or misinterpreted data](https://wiki.sei.cmu.edu/confluence/display/java/NUM12-J.+Ensure+conversions+of+numeric+types+to+narrower+types+do+not+result+in+lost+or+misinterpreted+data).\n* Common Weakness Enumeration: [CWE-197](https://cwe.mitre.org/data/definitions/197.html).\n* Common Weakness Enumeration: [CWE-681](https://cwe.mitre.org/data/definitions/681.html).\n", + "markdown": "# User-controlled data in numeric cast\nCasting a user-controlled numeric value to a narrower type can result in truncated values unless the input is validated.\n\nNarrowing conversions may cause potentially unintended results. For example, casting the positive integer value `128` to type `byte` yields the negative value `-128`.\n\n\n## Recommendation\nGuard against unexpected truncation of user-controlled arithmetic data by doing one of the following:\n\n* Validate the user input.\n* Define a guard on the cast expression, so that the cast is performed only if the input is known to be within the range of the resulting type.\n* Avoid casting to a narrower type, and instead continue to use a wider type.\n\n## Example\nIn this example, a value is read from standard input into a `long`. Because the value is a user-controlled value, it could be extremely large. Casting this value to a narrower type could therefore cause unexpected truncation. The `scaled2` example uses a guard to avoid this problem and checks the range of the input before performing the cast. If the value is too large to cast to type `int` it is rejected as invalid.\n\n\n```java\nclass Test {\n\tpublic static void main(String[] args) throws IOException {\n\t\t{\n\t\t\tlong data;\n\n\t\t\tBufferedReader readerBuffered = new BufferedReader(\n\t\t\t\t\tnew InputStreamReader(System.in, \"UTF-8\"));\n\t\t\tString stringNumber = readerBuffered.readLine();\n\t\t\tif (stringNumber != null) {\n\t\t\t\tdata = Long.parseLong(stringNumber.trim());\n\t\t\t} else {\n\t\t\t\tdata = 0;\n\t\t\t}\n\n\t\t\t// AVOID: potential truncation if input data is very large,\n\t\t\t// for example 'Long.MAX_VALUE'\n\t\t\tint scaled = (int)data;\n\n\t\t\t//...\n\n\t\t\t// GOOD: use a guard to ensure no truncation occurs\n\t\t\tint scaled2;\n\t\t\tif (data > Integer.MIN_VALUE && data < Integer.MAX_VALUE)\n\t\t\t\tscaled2 = (int)data;\n\t\t\telse\n\t\t\t\tthrow new IllegalArgumentException(\"Invalid input\");\n\t\t}\n\t}\n}\n```\n\n## References\n* SEI CERT Oracle Coding Standard for Java: [NUM12-J. Ensure conversions of numeric types to narrower types do not result in lost or misinterpreted data](https://wiki.sei.cmu.edu/confluence/display/java/NUM12-J.+Ensure+conversions+of+numeric+types+to+narrower+types+do+not+result+in+lost+or+misinterpreted+data).\n* Common Weakness Enumeration: [CWE-197](https://cwe.mitre.org/data/definitions/197.html).\n* Common Weakness Enumeration: [CWE-681](https://cwe.mitre.org/data/definitions/681.html).\n" + }, + "properties": { + "tags": [ + "external/cwe/cwe-197", + "external/cwe/cwe-681", + "security" + ], + "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-681/NumericCastTainted.ql", + "precision": "high", + "security-severity": "9" + } + }, + { + "id": "java/tainted-permissions-check", + "name": "java/tainted-permissions-check", + "shortDescription": { + "text": "User-controlled data used in permissions check" + }, + "fullDescription": { + "text": "Using user-controlled data in a permissions check may result in inappropriate permissions being granted." + }, + "defaultConfiguration": { + "level": "error" + }, + "help": { + "text": "# User-controlled data used in permissions check\nUsing user-controlled data in a permissions check may allow a user to gain unauthorized access to protected functionality or data.\n\n\n## Recommendation\nWhen checking whether a user is authorized for a particular activity, do not use data that is controlled by that user in the permissions check. If necessary, always validate the input, ideally against a fixed list of expected values.\n\nSimilarly, do not decide which permission to check for based on user data. In particular, avoid using computation to decide which permissions to check for. Use fixed permissions for particular actions, rather than generating the permission to check for.\n\n\n## Example\nThis example, using the Apache Shiro security framework, shows two ways to specify the permissions to check. The first way uses a string, `whatDoTheyWantToDo`, to specify the permissions to check. However, this string is built from user input. This can allow an attacker to force a check against a permission that they know they have, rather than the permission that should be checked. For example, while trying to access the account details of another user, the attacker could force the system to check whether they had permissions to access their *own* account details, which is incorrect, and would allow them to perform the action. The second, more secure way uses a fixed check that does not depend on data that is controlled by the user.\n\n\n```java\npublic static void main(String[] args) {\n\tString whatDoTheyWantToDo = args[0];\n\tSubject subject = SecurityUtils.getSubject();\n\n\t// BAD: permissions decision made using tainted data\n\tif(subject.isPermitted(\"domain:sublevel:\" + whatDoTheyWantToDo))\n\t\tdoIt();\n\n\t// GOOD: use fixed checks\n\tif(subject.isPermitted(\"domain:sublevel:whatTheMethodDoes\"))\n\t\tdoIt();\n}\n```\n\n## References\n* SEI CERT Oracle Coding Standard for Java: [SEC02-J. Do not base security checks on untrusted sources](https://wiki.sei.cmu.edu/confluence/display/java/SEC02-J.+Do+not+base+security+checks+on+untrusted+sources).\n* Common Weakness Enumeration: [CWE-807](https://cwe.mitre.org/data/definitions/807.html).\n* Common Weakness Enumeration: [CWE-290](https://cwe.mitre.org/data/definitions/290.html).\n", + "markdown": "# User-controlled data used in permissions check\nUsing user-controlled data in a permissions check may allow a user to gain unauthorized access to protected functionality or data.\n\n\n## Recommendation\nWhen checking whether a user is authorized for a particular activity, do not use data that is controlled by that user in the permissions check. If necessary, always validate the input, ideally against a fixed list of expected values.\n\nSimilarly, do not decide which permission to check for based on user data. In particular, avoid using computation to decide which permissions to check for. Use fixed permissions for particular actions, rather than generating the permission to check for.\n\n\n## Example\nThis example, using the Apache Shiro security framework, shows two ways to specify the permissions to check. The first way uses a string, `whatDoTheyWantToDo`, to specify the permissions to check. However, this string is built from user input. This can allow an attacker to force a check against a permission that they know they have, rather than the permission that should be checked. For example, while trying to access the account details of another user, the attacker could force the system to check whether they had permissions to access their *own* account details, which is incorrect, and would allow them to perform the action. The second, more secure way uses a fixed check that does not depend on data that is controlled by the user.\n\n\n```java\npublic static void main(String[] args) {\n\tString whatDoTheyWantToDo = args[0];\n\tSubject subject = SecurityUtils.getSubject();\n\n\t// BAD: permissions decision made using tainted data\n\tif(subject.isPermitted(\"domain:sublevel:\" + whatDoTheyWantToDo))\n\t\tdoIt();\n\n\t// GOOD: use fixed checks\n\tif(subject.isPermitted(\"domain:sublevel:whatTheMethodDoes\"))\n\t\tdoIt();\n}\n```\n\n## References\n* SEI CERT Oracle Coding Standard for Java: [SEC02-J. Do not base security checks on untrusted sources](https://wiki.sei.cmu.edu/confluence/display/java/SEC02-J.+Do+not+base+security+checks+on+untrusted+sources).\n* Common Weakness Enumeration: [CWE-807](https://cwe.mitre.org/data/definitions/807.html).\n* Common Weakness Enumeration: [CWE-290](https://cwe.mitre.org/data/definitions/290.html).\n" + }, + "properties": { + "tags": [ + "external/cwe/cwe-290", + "external/cwe/cwe-807", + "security" + ], + "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-807/TaintedPermissionsCheck.ql", + "precision": "high", + "security-severity": "7.8" + } + }, + { + "id": "java/telemetry/external-libs", + "name": "java/telemetry/external-libs", + "shortDescription": { + "text": "External libraries" + }, + "fullDescription": { + "text": "A list of external libraries used in the code" + }, + "defaultConfiguration": {}, + "properties": { + "tags": [ + "summary", + "telemetry" + ] + } + }, + { + "id": "java/telemetry/extraction-information", + "name": "java/telemetry/extraction-information", + "shortDescription": { + "text": "Java extraction information" + }, + "fullDescription": { + "text": "Information about the extraction for a Java database" + }, + "defaultConfiguration": {}, + "properties": { + "tags": [ + "summary", + "telemetry" + ] + } + }, + { + "id": "java/telemetry/supported-external-api", + "name": "java/telemetry/supported-external-api", + "shortDescription": { + "text": "Usage of supported APIs coming from external libraries" + }, + "fullDescription": { + "text": "A list of supported 3rd party APIs used in the codebase. Excludes test and generated code." + }, + "defaultConfiguration": {}, + "properties": { + "tags": [ + "summary", + "telemetry" + ] + } + }, + { + "id": "java/telemetry/supported-external-api-sinks", + "name": "java/telemetry/supported-external-api-sinks", + "shortDescription": { + "text": "Supported sinks in external libraries" + }, + "fullDescription": { + "text": "A list of 3rd party APIs detected as sinks. Excludes test and generated code." + }, + "defaultConfiguration": {}, + "properties": { + "tags": [ + "summary", + "telemetry" + ] + } + }, + { + "id": "java/telemetry/supported-external-api-sources", + "name": "java/telemetry/supported-external-api-sources", + "shortDescription": { + "text": "Supported sources in external libraries" + }, + "fullDescription": { + "text": "A list of 3rd party APIs detected as sources. Excludes test and generated code." + }, + "defaultConfiguration": {}, + "properties": { + "tags": [ + "summary", + "telemetry" + ] + } + }, + { + "id": "java/telemetry/supported-external-api-taint", + "name": "java/telemetry/supported-external-api-taint", + "shortDescription": { + "text": "Supported flow steps in external libraries" + }, + "fullDescription": { + "text": "A list of 3rd party APIs detected as flow steps. Excludes test and generated code." + }, + "defaultConfiguration": {}, + "properties": { + "tags": [ + "summary", + "telemetry" + ] + } + }, + { + "id": "java/telemetry/unsupported-external-api", + "name": "java/telemetry/unsupported-external-api", + "shortDescription": { + "text": "Usage of unsupported APIs coming from external libraries" + }, + "fullDescription": { + "text": "A list of 3rd party APIs used in the codebase. Excludes test and generated code." + }, + "defaultConfiguration": {}, + "properties": { + "tags": [ + "summary", + "telemetry" + ] + } + }, + { + "id": "java/unsafe-deserialization", + "name": "java/unsafe-deserialization", + "shortDescription": { + "text": "Deserialization of user-controlled data" + }, + "fullDescription": { + "text": "Deserializing user-controlled data may allow attackers to execute arbitrary code." + }, + "defaultConfiguration": { + "level": "error" + }, + "help": { + "text": "# Deserialization of user-controlled data\nDeserializing untrusted data using any deserialization framework that allows the construction of arbitrary serializable objects is easily exploitable and in many cases allows an attacker to execute arbitrary code. Even before a deserialized object is returned to the caller of a deserialization method a lot of code may have been executed, including static initializers, constructors, and finalizers. Automatic deserialization of fields means that an attacker may craft a nested combination of objects on which the executed initialization code may have unforeseen effects, such as the execution of arbitrary code.\n\nThere are many different serialization frameworks. This query currently supports Kryo, XmlDecoder, XStream, SnakeYaml, JYaml, JsonIO, YAMLBeans, HessianBurlap, Castor, Burlap, Jackson, Jabsorb, Jodd JSON, Flexjson, Gson, JMS, and Java IO serialization through `ObjectInputStream`/`ObjectOutputStream`.\n\n\n## Recommendation\nAvoid deserialization of untrusted data if at all possible. If the architecture permits it then use other formats instead of serialized objects, for example JSON or XML. However, these formats should not be deserialized into complex objects because this provides further opportunities for attack. For example, XML-based deserialization attacks are possible through libraries such as XStream and XmlDecoder.\n\nAlternatively, a tightly controlled whitelist can limit the vulnerability of code, but be aware of the existence of so-called Bypass Gadgets, which can circumvent such protection measures.\n\nRecommendations specific to particular frameworks supported by this query:\n\n**FastJson** - `com.alibaba:fastjson`\n\n* **Secure by Default**: Partially\n* **Recommendation**: Call `com.alibaba.fastjson.parser.ParserConfig#setSafeMode` with the argument `true` before deserializing untrusted data.\n\n\n**FasterXML** - `com.fasterxml.jackson.core:jackson-databind`\n\n* **Secure by Default**: Yes\n* **Recommendation**: Don't call `com.fasterxml.jackson.databind.ObjectMapper#enableDefaultTyping` and don't annotate any object fields with `com.fasterxml.jackson.annotation.JsonTypeInfo` passing either the `CLASS` or `MINIMAL_CLASS` values to the annotation. Read [this guide](https://cowtowncoder.medium.com/jackson-2-10-safe-default-typing-2d018f0ce2ba).\n\n\n**Kryo** - `com.esotericsoftware:kryo` and `com.esotericsoftware:kryo5`\n\n* **Secure by Default**: Yes for `com.esotericsoftware:kryo5` and for `com.esotericsoftware:kryo` >= v5.0.0\n* **Recommendation**: Don't call `com.esotericsoftware.kryo(5).Kryo#setRegistrationRequired` with the argument `false` on any `Kryo` instance that may deserialize untrusted data.\n\n\n**ObjectInputStream** - `Java Standard Library`\n\n* **Secure by Default**: No\n* **Recommendation**: Use a validating input stream, such as `org.apache.commons.io.serialization.ValidatingObjectInputStream`.\n\n\n**SnakeYAML** - `org.yaml:snakeyaml`\n\n* **Secure by Default**: No\n* **Recommendation**: Pass an instance of `org.yaml.snakeyaml.constructor.SafeConstructor` to `org.yaml.snakeyaml.Yaml`'s constructor before using it to deserialize untrusted data.\n\n\n**XML Decoder** - `Standard Java Library`\n\n* **Secure by Default**: No\n* **Recommendation**: Do not use with untrusted user input.\n\n\n**ObjectMesssage** - `Java EE/Jakarta EE`\n\n* **Secure by Default**: Depends on the JMS implementation.\n* **Recommendation**: Do not use with untrusted user input.\n\n\n\n## Example\nThe following example calls `readObject` directly on an `ObjectInputStream` that is constructed from untrusted data, and is therefore inherently unsafe.\n\n\n```java\npublic MyObject {\n public int field;\n MyObject(int field) {\n this.field = field;\n }\n}\n\npublic MyObject deserialize(Socket sock) {\n try(ObjectInputStream in = new ObjectInputStream(sock.getInputStream())) {\n return (MyObject)in.readObject(); // unsafe\n }\n}\n\n```\nRewriting the communication protocol to only rely on reading primitive types from the input stream removes the vulnerability.\n\n\n```java\npublic MyObject deserialize(Socket sock) {\n try(DataInputStream in = new DataInputStream(sock.getInputStream())) {\n return new MyObject(in.readInt());\n }\n}\n\n```\n\n## References\n* OWASP vulnerability description: [Deserialization of untrusted data](https://www.owasp.org/index.php/Deserialization_of_untrusted_data).\n* OWASP guidance on deserializing objects: [Deserialization Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html).\n* Talks by Chris Frohoff & Gabriel Lawrence: [ AppSecCali 2015: Marshalling Pickles - how deserializing objects will ruin your day](http://frohoff.github.io/appseccali-marshalling-pickles/), [OWASP SD: Deserialize My Shorts: Or How I Learned to Start Worrying and Hate Java Object Deserialization](http://frohoff.github.io/owaspsd-deserialize-my-shorts/).\n* Alvaro Muñoz & Christian Schneider, RSAConference 2016: [Serial Killer: Silently Pwning Your Java Endpoints](https://speakerdeck.com/pwntester/serial-killer-silently-pwning-your-java-endpoints).\n* SnakeYaml documentation on deserialization: [SnakeYaml deserialization](https://bitbucket.org/snakeyaml/snakeyaml/wiki/Documentation#markdown-header-loading-yaml).\n* Hessian deserialization and related gadget chains: [Hessian deserialization](https://paper.seebug.org/1137/).\n* Castor and Hessian java deserialization vulnerabilities: [Castor and Hessian deserialization](https://securitylab.github.com/research/hessian-java-deserialization-castor-vulnerabilities/).\n* Remote code execution in JYaml library: [JYaml deserialization](https://www.cybersecurity-help.cz/vdb/SB2020022512).\n* JsonIO deserialization vulnerabilities: [JsonIO deserialization](https://klezvirus.github.io/Advanced-Web-Hacking/Serialisation/).\n* Research by Moritz Bechler: [Java Unmarshaller Security - Turning your data into code execution](https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true)\n* Blog posts by the developer of Jackson libraries: [On Jackson CVEs: Don’t Panic — Here is what you need to know](https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062) [Jackson 2.10: Safe Default Typing](https://cowtowncoder.medium.com/jackson-2-10-safe-default-typing-2d018f0ce2ba)\n* Jabsorb documentation on deserialization: [Jabsorb JSON Serializer](https://github.com/Servoy/jabsorb/blob/master/src/org/jabsorb/).\n* Jodd JSON documentation on deserialization: [JoddJson Parser](https://json.jodd.org/parser).\n* RCE in Flexjson: [Flexjson deserialization](https://codewhitesec.blogspot.com/2020/03/liferay-portal-json-vulns.html).\n* Android Intent deserialization vulnerabilities with GSON parser: [Insecure use of JSON parsers](https://blog.oversecured.com/Exploiting-memory-corruption-vulnerabilities-on-Android/#insecure-use-of-json-parsers).\n* Research by Matthias Kaiser: [Pwning Your Java Messaging With Deserialization Vulnerabilities](https://www.blackhat.com/docs/us-16/materials/us-16-Kaiser-Pwning-Your-Java-Messaging-With-Deserialization-Vulnerabilities.pdf).\n* Common Weakness Enumeration: [CWE-502](https://cwe.mitre.org/data/definitions/502.html).\n", + "markdown": "# Deserialization of user-controlled data\nDeserializing untrusted data using any deserialization framework that allows the construction of arbitrary serializable objects is easily exploitable and in many cases allows an attacker to execute arbitrary code. Even before a deserialized object is returned to the caller of a deserialization method a lot of code may have been executed, including static initializers, constructors, and finalizers. Automatic deserialization of fields means that an attacker may craft a nested combination of objects on which the executed initialization code may have unforeseen effects, such as the execution of arbitrary code.\n\nThere are many different serialization frameworks. This query currently supports Kryo, XmlDecoder, XStream, SnakeYaml, JYaml, JsonIO, YAMLBeans, HessianBurlap, Castor, Burlap, Jackson, Jabsorb, Jodd JSON, Flexjson, Gson, JMS, and Java IO serialization through `ObjectInputStream`/`ObjectOutputStream`.\n\n\n## Recommendation\nAvoid deserialization of untrusted data if at all possible. If the architecture permits it then use other formats instead of serialized objects, for example JSON or XML. However, these formats should not be deserialized into complex objects because this provides further opportunities for attack. For example, XML-based deserialization attacks are possible through libraries such as XStream and XmlDecoder.\n\nAlternatively, a tightly controlled whitelist can limit the vulnerability of code, but be aware of the existence of so-called Bypass Gadgets, which can circumvent such protection measures.\n\nRecommendations specific to particular frameworks supported by this query:\n\n**FastJson** - `com.alibaba:fastjson`\n\n* **Secure by Default**: Partially\n* **Recommendation**: Call `com.alibaba.fastjson.parser.ParserConfig#setSafeMode` with the argument `true` before deserializing untrusted data.\n\n\n**FasterXML** - `com.fasterxml.jackson.core:jackson-databind`\n\n* **Secure by Default**: Yes\n* **Recommendation**: Don't call `com.fasterxml.jackson.databind.ObjectMapper#enableDefaultTyping` and don't annotate any object fields with `com.fasterxml.jackson.annotation.JsonTypeInfo` passing either the `CLASS` or `MINIMAL_CLASS` values to the annotation. Read [this guide](https://cowtowncoder.medium.com/jackson-2-10-safe-default-typing-2d018f0ce2ba).\n\n\n**Kryo** - `com.esotericsoftware:kryo` and `com.esotericsoftware:kryo5`\n\n* **Secure by Default**: Yes for `com.esotericsoftware:kryo5` and for `com.esotericsoftware:kryo` >= v5.0.0\n* **Recommendation**: Don't call `com.esotericsoftware.kryo(5).Kryo#setRegistrationRequired` with the argument `false` on any `Kryo` instance that may deserialize untrusted data.\n\n\n**ObjectInputStream** - `Java Standard Library`\n\n* **Secure by Default**: No\n* **Recommendation**: Use a validating input stream, such as `org.apache.commons.io.serialization.ValidatingObjectInputStream`.\n\n\n**SnakeYAML** - `org.yaml:snakeyaml`\n\n* **Secure by Default**: No\n* **Recommendation**: Pass an instance of `org.yaml.snakeyaml.constructor.SafeConstructor` to `org.yaml.snakeyaml.Yaml`'s constructor before using it to deserialize untrusted data.\n\n\n**XML Decoder** - `Standard Java Library`\n\n* **Secure by Default**: No\n* **Recommendation**: Do not use with untrusted user input.\n\n\n**ObjectMesssage** - `Java EE/Jakarta EE`\n\n* **Secure by Default**: Depends on the JMS implementation.\n* **Recommendation**: Do not use with untrusted user input.\n\n\n\n## Example\nThe following example calls `readObject` directly on an `ObjectInputStream` that is constructed from untrusted data, and is therefore inherently unsafe.\n\n\n```java\npublic MyObject {\n public int field;\n MyObject(int field) {\n this.field = field;\n }\n}\n\npublic MyObject deserialize(Socket sock) {\n try(ObjectInputStream in = new ObjectInputStream(sock.getInputStream())) {\n return (MyObject)in.readObject(); // unsafe\n }\n}\n\n```\nRewriting the communication protocol to only rely on reading primitive types from the input stream removes the vulnerability.\n\n\n```java\npublic MyObject deserialize(Socket sock) {\n try(DataInputStream in = new DataInputStream(sock.getInputStream())) {\n return new MyObject(in.readInt());\n }\n}\n\n```\n\n## References\n* OWASP vulnerability description: [Deserialization of untrusted data](https://www.owasp.org/index.php/Deserialization_of_untrusted_data).\n* OWASP guidance on deserializing objects: [Deserialization Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html).\n* Talks by Chris Frohoff & Gabriel Lawrence: [ AppSecCali 2015: Marshalling Pickles - how deserializing objects will ruin your day](http://frohoff.github.io/appseccali-marshalling-pickles/), [OWASP SD: Deserialize My Shorts: Or How I Learned to Start Worrying and Hate Java Object Deserialization](http://frohoff.github.io/owaspsd-deserialize-my-shorts/).\n* Alvaro Muñoz & Christian Schneider, RSAConference 2016: [Serial Killer: Silently Pwning Your Java Endpoints](https://speakerdeck.com/pwntester/serial-killer-silently-pwning-your-java-endpoints).\n* SnakeYaml documentation on deserialization: [SnakeYaml deserialization](https://bitbucket.org/snakeyaml/snakeyaml/wiki/Documentation#markdown-header-loading-yaml).\n* Hessian deserialization and related gadget chains: [Hessian deserialization](https://paper.seebug.org/1137/).\n* Castor and Hessian java deserialization vulnerabilities: [Castor and Hessian deserialization](https://securitylab.github.com/research/hessian-java-deserialization-castor-vulnerabilities/).\n* Remote code execution in JYaml library: [JYaml deserialization](https://www.cybersecurity-help.cz/vdb/SB2020022512).\n* JsonIO deserialization vulnerabilities: [JsonIO deserialization](https://klezvirus.github.io/Advanced-Web-Hacking/Serialisation/).\n* Research by Moritz Bechler: [Java Unmarshaller Security - Turning your data into code execution](https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true)\n* Blog posts by the developer of Jackson libraries: [On Jackson CVEs: Don’t Panic — Here is what you need to know](https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062) [Jackson 2.10: Safe Default Typing](https://cowtowncoder.medium.com/jackson-2-10-safe-default-typing-2d018f0ce2ba)\n* Jabsorb documentation on deserialization: [Jabsorb JSON Serializer](https://github.com/Servoy/jabsorb/blob/master/src/org/jabsorb/).\n* Jodd JSON documentation on deserialization: [JoddJson Parser](https://json.jodd.org/parser).\n* RCE in Flexjson: [Flexjson deserialization](https://codewhitesec.blogspot.com/2020/03/liferay-portal-json-vulns.html).\n* Android Intent deserialization vulnerabilities with GSON parser: [Insecure use of JSON parsers](https://blog.oversecured.com/Exploiting-memory-corruption-vulnerabilities-on-Android/#insecure-use-of-json-parsers).\n* Research by Matthias Kaiser: [Pwning Your Java Messaging With Deserialization Vulnerabilities](https://www.blackhat.com/docs/us-16/materials/us-16-Kaiser-Pwning-Your-Java-Messaging-With-Deserialization-Vulnerabilities.pdf).\n* Common Weakness Enumeration: [CWE-502](https://cwe.mitre.org/data/definitions/502.html).\n" + }, + "properties": { + "tags": [ + "external/cwe/cwe-502", + "security" + ], + "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.ql", + "precision": "high", + "security-severity": "9.8" + } + }, + { + "id": "java/unsafe-hostname-verification", + "name": "java/unsafe-hostname-verification", + "shortDescription": { + "text": "Unsafe hostname verification" + }, + "fullDescription": { + "text": "Marking a certificate as valid for a host without checking the certificate hostname allows an attacker to perform a machine-in-the-middle attack." + }, + "defaultConfiguration": { + "level": "error" + }, + "help": { + "text": "# Unsafe hostname verification\nIf a `HostnameVerifier` always returns `true` it will not verify the hostname at all. This stops Transport Layer Security (TLS) providing any security and allows an attacker to perform a man-in-the-middle attack against the application.\n\nAn attack might look like this:\n\n1. The program connects to `https://example.com`.\n1. The attacker intercepts this connection and presents an apparently-valid certificate of their choosing.\n1. The `TrustManager` of the program verifies that the certificate has been issued by a trusted certificate authority.\n1. The Java HTTPS library checks whether the certificate has been issued for the host `example.com`. This check fails because the certificate has been issued for a domain controlled by the attacker, for example: `malicious.domain`.\n1. The HTTPS library wants to reject the certificate because the hostname does not match. Before doing this it checks whether a `HostnameVerifier` exists.\n1. Your `HostnameVerifier` is called which returns `true` for any certificate so also for this one.\n1. The program proceeds with the connection since your `HostnameVerifier` accepted it.\n1. The attacker can now read the data your program sends to `https://example.com` and/or alter its replies while the program thinks the connection is secure.\n\n## Recommendation\nDo not use an open `HostnameVerifier`. If you have a configuration problem with TLS/HTTPS, you should always solve the configuration problem instead of using an open verifier.\n\n\n## Example\nIn the first (bad) example, the `HostnameVerifier` always returns `true`. This allows an attacker to perform a man-in-the-middle attack, because any certificate is accepted despite an incorrect hostname. In the second (good) example, the `HostnameVerifier` only returns `true` when the certificate has been correctly checked.\n\n\n```java\npublic static void main(String[] args) {\n\n\t{\n\t\tHostnameVerifier verifier = new HostnameVerifier() {\n\t\t\t@Override\n\t\t\tpublic boolean verify(String hostname, SSLSession session) {\n\t\t\t\treturn true; // BAD: accept even if the hostname doesn't match\n\t\t\t}\n\t\t};\n\t\tHttpsURLConnection.setDefaultHostnameVerifier(verifier);\n\t}\n\n\t{\n\t\tHostnameVerifier verifier = new HostnameVerifier() {\n\t\t\t@Override\n\t\t\tpublic boolean verify(String hostname, SSLSession session) {\n\t\t\t\ttry { // GOOD: verify the certificate\n\t\t\t\t\tCertificate[] certs = session.getPeerCertificates();\n\t\t\t\t\tX509Certificate x509 = (X509Certificate) certs[0];\n\t\t\t\t\tcheck(new String[]{host}, x509);\n\t\t\t\t\treturn true;\n\t\t\t\t} catch (SSLException e) {\n\t\t\t\t\treturn false;\n\t\t\t\t}\n\t\t\t}\n\t\t};\n\t\tHttpsURLConnection.setDefaultHostnameVerifier(verifier);\n\t}\n\n}\n```\n\n## References\n* Android developers: [Security with HTTPS and SSL](https://developer.android.com/training/articles/security-ssl).\n* Terse systems blog: [Fixing Hostname Verification](https://tersesystems.com/blog/2014/03/23/fixing-hostname-verification/).\n* Common Weakness Enumeration: [CWE-297](https://cwe.mitre.org/data/definitions/297.html).\n", + "markdown": "# Unsafe hostname verification\nIf a `HostnameVerifier` always returns `true` it will not verify the hostname at all. This stops Transport Layer Security (TLS) providing any security and allows an attacker to perform a man-in-the-middle attack against the application.\n\nAn attack might look like this:\n\n1. The program connects to `https://example.com`.\n1. The attacker intercepts this connection and presents an apparently-valid certificate of their choosing.\n1. The `TrustManager` of the program verifies that the certificate has been issued by a trusted certificate authority.\n1. The Java HTTPS library checks whether the certificate has been issued for the host `example.com`. This check fails because the certificate has been issued for a domain controlled by the attacker, for example: `malicious.domain`.\n1. The HTTPS library wants to reject the certificate because the hostname does not match. Before doing this it checks whether a `HostnameVerifier` exists.\n1. Your `HostnameVerifier` is called which returns `true` for any certificate so also for this one.\n1. The program proceeds with the connection since your `HostnameVerifier` accepted it.\n1. The attacker can now read the data your program sends to `https://example.com` and/or alter its replies while the program thinks the connection is secure.\n\n## Recommendation\nDo not use an open `HostnameVerifier`. If you have a configuration problem with TLS/HTTPS, you should always solve the configuration problem instead of using an open verifier.\n\n\n## Example\nIn the first (bad) example, the `HostnameVerifier` always returns `true`. This allows an attacker to perform a man-in-the-middle attack, because any certificate is accepted despite an incorrect hostname. In the second (good) example, the `HostnameVerifier` only returns `true` when the certificate has been correctly checked.\n\n\n```java\npublic static void main(String[] args) {\n\n\t{\n\t\tHostnameVerifier verifier = new HostnameVerifier() {\n\t\t\t@Override\n\t\t\tpublic boolean verify(String hostname, SSLSession session) {\n\t\t\t\treturn true; // BAD: accept even if the hostname doesn't match\n\t\t\t}\n\t\t};\n\t\tHttpsURLConnection.setDefaultHostnameVerifier(verifier);\n\t}\n\n\t{\n\t\tHostnameVerifier verifier = new HostnameVerifier() {\n\t\t\t@Override\n\t\t\tpublic boolean verify(String hostname, SSLSession session) {\n\t\t\t\ttry { // GOOD: verify the certificate\n\t\t\t\t\tCertificate[] certs = session.getPeerCertificates();\n\t\t\t\t\tX509Certificate x509 = (X509Certificate) certs[0];\n\t\t\t\t\tcheck(new String[]{host}, x509);\n\t\t\t\t\treturn true;\n\t\t\t\t} catch (SSLException e) {\n\t\t\t\t\treturn false;\n\t\t\t\t}\n\t\t\t}\n\t\t};\n\t\tHttpsURLConnection.setDefaultHostnameVerifier(verifier);\n\t}\n\n}\n```\n\n## References\n* Android developers: [Security with HTTPS and SSL](https://developer.android.com/training/articles/security-ssl).\n* Terse systems blog: [Fixing Hostname Verification](https://tersesystems.com/blog/2014/03/23/fixing-hostname-verification/).\n* Common Weakness Enumeration: [CWE-297](https://cwe.mitre.org/data/definitions/297.html).\n" + }, + "properties": { + "tags": [ + "external/cwe/cwe-297", + "security" + ], + "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-297/UnsafeHostnameVerification.ql", + "precision": "high", + "security-severity": "5.9" + } + }, + { + "id": "java/unvalidated-url-forward", + "name": "java/unvalidated-url-forward", + "shortDescription": { + "text": "URL forward from a remote source" + }, + "fullDescription": { + "text": "URL forward based on unvalidated user input may cause file information disclosure." + }, + "defaultConfiguration": { + "level": "error" + }, + "help": { + "text": "# URL forward from a remote source\nDirectly incorporating user input into a URL forward request without validating the input can cause file information disclosure by allowing an attacker to access unauthorized URLs.\n\n\n## Recommendation\nTo guard against untrusted URL forwarding, you should avoid putting user input directly into a forwarded URL. Instead, you should maintain a list of authorized URLs on the server, then choose from that list based on the user input provided.\n\n\n## Example\nThe following example shows an HTTP request parameter being used directly in a URL forward without validating the input, which may cause file information disclosure. It also shows how to remedy the problem by validating the user input against a known fixed string.\n\n\n```java\npublic class UrlForward extends HttpServlet {\n\tprivate static final String VALID_FORWARD = \"https://cwe.mitre.org/data/definitions/552.html\";\n\n\tprotected void doGet(HttpServletRequest request, HttpServletResponse response)\n\t\t\tthrows ServletException, IOException {\n\t\tServletConfig cfg = getServletConfig();\n\t\tServletContext sc = cfg.getServletContext();\n\n\t\t// BAD: a request parameter is incorporated without validation into a URL forward\n\t\tsc.getRequestDispatcher(request.getParameter(\"target\")).forward(request, response);\n\n\t\t// GOOD: the request parameter is validated against a known fixed string\n\t\tif (VALID_FORWARD.equals(request.getParameter(\"target\"))) {\n\t\t\tsc.getRequestDispatcher(VALID_FORWARD).forward(request, response);\n\t\t}\n\t}\n}\n\n```\n\n## References\n* OWASP: [Unvalidated Redirects and Forwards Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html).\n* Common Weakness Enumeration: [CWE-552](https://cwe.mitre.org/data/definitions/552.html).\n", + "markdown": "# URL forward from a remote source\nDirectly incorporating user input into a URL forward request without validating the input can cause file information disclosure by allowing an attacker to access unauthorized URLs.\n\n\n## Recommendation\nTo guard against untrusted URL forwarding, you should avoid putting user input directly into a forwarded URL. Instead, you should maintain a list of authorized URLs on the server, then choose from that list based on the user input provided.\n\n\n## Example\nThe following example shows an HTTP request parameter being used directly in a URL forward without validating the input, which may cause file information disclosure. It also shows how to remedy the problem by validating the user input against a known fixed string.\n\n\n```java\npublic class UrlForward extends HttpServlet {\n\tprivate static final String VALID_FORWARD = \"https://cwe.mitre.org/data/definitions/552.html\";\n\n\tprotected void doGet(HttpServletRequest request, HttpServletResponse response)\n\t\t\tthrows ServletException, IOException {\n\t\tServletConfig cfg = getServletConfig();\n\t\tServletContext sc = cfg.getServletContext();\n\n\t\t// BAD: a request parameter is incorporated without validation into a URL forward\n\t\tsc.getRequestDispatcher(request.getParameter(\"target\")).forward(request, response);\n\n\t\t// GOOD: the request parameter is validated against a known fixed string\n\t\tif (VALID_FORWARD.equals(request.getParameter(\"target\"))) {\n\t\t\tsc.getRequestDispatcher(VALID_FORWARD).forward(request, response);\n\t\t}\n\t}\n}\n\n```\n\n## References\n* OWASP: [Unvalidated Redirects and Forwards Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html).\n* Common Weakness Enumeration: [CWE-552](https://cwe.mitre.org/data/definitions/552.html).\n" + }, + "properties": { + "tags": [ + "external/cwe/cwe-552", + "security" + ], + "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-552/UrlForward.ql", + "precision": "high", + "security-severity": "7.5" + } + }, + { + "id": "java/unvalidated-url-redirection", + "name": "java/unvalidated-url-redirection", + "shortDescription": { + "text": "URL redirection from remote source" + }, + "fullDescription": { + "text": "URL redirection based on unvalidated user-input may cause redirection to malicious web sites." + }, + "defaultConfiguration": { + "level": "error" + }, + "help": { + "text": "# URL redirection from remote source\nDirectly incorporating user input into a URL redirect request without validating the input can facilitate phishing attacks. In these attacks, unsuspecting users can be redirected to a malicious site that looks very similar to the real site they intend to visit, but which is controlled by the attacker.\n\n\n## Recommendation\nTo guard against untrusted URL redirection, it is advisable to avoid putting user input directly into a redirect URL. Instead, maintain a list of authorized redirects on the server; then choose from that list based on the user input provided.\n\nIf this is not possible, then the user input should be validated in some other way, for example, by verifying that the target URL is on the same host as the current page.\n\n\n## Example\nThe following example shows an HTTP request parameter being used directly in a URL redirect without validating the input, which facilitates phishing attacks:\n\n\n```java\npublic class UrlRedirect extends HttpServlet {\n protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {\n // BAD: a request parameter is incorporated without validation into a URL redirect\n response.sendRedirect(request.getParameter(\"target\"));\n }\n}\n```\nOne way to remedy the problem is to validate the user input against a known fixed string before doing the redirection:\n\n\n```java\npublic class UrlRedirect extends HttpServlet {\n private static final List VALID_REDIRECTS = Arrays.asList(\n \"http://cwe.mitre.org/data/definitions/601.html\",\n \"http://cwe.mitre.org/data/definitions/79.html\"\n );\n\n protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {\n // GOOD: the request parameter is validated against a known list of strings\n String target = request.getParameter(\"target\");\n if (VALID_REDIRECTS.contains(target)) {\n response.sendRedirect(target);\n } else {\n response.sendRedirect(\"/error.html\");\n }\n }\n}\n```\nAlternatively, we can check that the target URL does not redirect to a different host by checking that the URL is either relative or on a known good host:\n\n\n```java\npublic class UrlRedirect extends HttpServlet {\n protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {\n try {\n String urlString = request.getParameter(\"page\");\n URI url = new URI(urlString);\n\n if (!url.isAbsolute()) {\n response.sendRedirect(url.toString()); // GOOD: The redirect is to a relative URL\n }\n\n if (\"example.org\".equals(url.getHost())) {\n response.sendRedirect(url.toString()); // GOOD: The redirect is to a known host\n }\n } catch (URISyntaxException e) {\n // handle exception\n }\n }\n}\n```\nNote that as written, the above code will allow redirects to URLs on `example.com`, which is harmless but perhaps not intended. You can substitute your own domain (if known) for `example.com` to prevent this.\n\n\n## References\n* OWASP: [ Unvalidated Redirects and Forwards Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html).\n* Microsoft Docs: [Preventing Open Redirection Attacks (C\\#)](https://docs.microsoft.com/en-us/aspnet/mvc/overview/security/preventing-open-redirection-attacks).\n* Common Weakness Enumeration: [CWE-601](https://cwe.mitre.org/data/definitions/601.html).\n", + "markdown": "# URL redirection from remote source\nDirectly incorporating user input into a URL redirect request without validating the input can facilitate phishing attacks. In these attacks, unsuspecting users can be redirected to a malicious site that looks very similar to the real site they intend to visit, but which is controlled by the attacker.\n\n\n## Recommendation\nTo guard against untrusted URL redirection, it is advisable to avoid putting user input directly into a redirect URL. Instead, maintain a list of authorized redirects on the server; then choose from that list based on the user input provided.\n\nIf this is not possible, then the user input should be validated in some other way, for example, by verifying that the target URL is on the same host as the current page.\n\n\n## Example\nThe following example shows an HTTP request parameter being used directly in a URL redirect without validating the input, which facilitates phishing attacks:\n\n\n```java\npublic class UrlRedirect extends HttpServlet {\n protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {\n // BAD: a request parameter is incorporated without validation into a URL redirect\n response.sendRedirect(request.getParameter(\"target\"));\n }\n}\n```\nOne way to remedy the problem is to validate the user input against a known fixed string before doing the redirection:\n\n\n```java\npublic class UrlRedirect extends HttpServlet {\n private static final List VALID_REDIRECTS = Arrays.asList(\n \"http://cwe.mitre.org/data/definitions/601.html\",\n \"http://cwe.mitre.org/data/definitions/79.html\"\n );\n\n protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {\n // GOOD: the request parameter is validated against a known list of strings\n String target = request.getParameter(\"target\");\n if (VALID_REDIRECTS.contains(target)) {\n response.sendRedirect(target);\n } else {\n response.sendRedirect(\"/error.html\");\n }\n }\n}\n```\nAlternatively, we can check that the target URL does not redirect to a different host by checking that the URL is either relative or on a known good host:\n\n\n```java\npublic class UrlRedirect extends HttpServlet {\n protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {\n try {\n String urlString = request.getParameter(\"page\");\n URI url = new URI(urlString);\n\n if (!url.isAbsolute()) {\n response.sendRedirect(url.toString()); // GOOD: The redirect is to a relative URL\n }\n\n if (\"example.org\".equals(url.getHost())) {\n response.sendRedirect(url.toString()); // GOOD: The redirect is to a known host\n }\n } catch (URISyntaxException e) {\n // handle exception\n }\n }\n}\n```\nNote that as written, the above code will allow redirects to URLs on `example.com`, which is harmless but perhaps not intended. You can substitute your own domain (if known) for `example.com` to prevent this.\n\n\n## References\n* OWASP: [ Unvalidated Redirects and Forwards Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html).\n* Microsoft Docs: [Preventing Open Redirection Attacks (C\\#)](https://docs.microsoft.com/en-us/aspnet/mvc/overview/security/preventing-open-redirection-attacks).\n* Common Weakness Enumeration: [CWE-601](https://cwe.mitre.org/data/definitions/601.html).\n" + }, + "properties": { + "tags": [ + "external/cwe/cwe-601", + "security" + ], + "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-601/UrlRedirect.ql", + "precision": "high", + "security-severity": "6.1" + } + }, + { + "id": "java/weak-cryptographic-algorithm", + "name": "java/weak-cryptographic-algorithm", + "shortDescription": { + "text": "Use of a broken or risky cryptographic algorithm" + }, + "fullDescription": { + "text": "Using broken or weak cryptographic algorithms can allow an attacker to compromise security." + }, + "defaultConfiguration": {}, + "help": { + "text": "# Use of a broken or risky cryptographic algorithm\nUsing broken or weak cryptographic algorithms can leave data vulnerable to being decrypted.\n\nMany cryptographic algorithms provided by cryptography libraries are known to be weak, or flawed. Using such an algorithm means that an attacker may be able to easily decrypt the encrypted data.\n\n\n## Recommendation\nEnsure that you use a strong, modern cryptographic algorithm. Use at least AES-128 or RSA-2048. Do not use the ECB encryption mode since it is vulnerable to replay and other attacks.\n\n\n## Example\nThe following code shows an example of using a java `Cipher` to encrypt some data. When creating a `Cipher` instance, you must specify the encryption algorithm to use. The first example uses DES, which is an older algorithm that is now considered weak. The second example uses AES, which is a strong modern algorithm.\n\n\n```java\n// BAD: DES is a weak algorithm \nCipher des = Cipher.getInstance(\"DES\");\ncipher.init(Cipher.ENCRYPT_MODE, secretKeySpec);\n\nbyte[] encrypted = cipher.doFinal(input.getBytes(\"UTF-8\"));\n\n// ...\n\n// GOOD: AES is a strong algorithm\nCipher aes = Cipher.getInstance(\"AES\");\n\n// ...\n\n```\n\n## References\n* NIST, FIPS 140 Annex a: [ Approved Security Functions](http://csrc.nist.gov/publications/fips/fips140-2/fips1402annexa.pdf).\n* NIST, SP 800-131A: [ Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths](http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar1.pdf).\n* Common Weakness Enumeration: [CWE-327](https://cwe.mitre.org/data/definitions/327.html).\n* Common Weakness Enumeration: [CWE-328](https://cwe.mitre.org/data/definitions/328.html).\n", + "markdown": "# Use of a broken or risky cryptographic algorithm\nUsing broken or weak cryptographic algorithms can leave data vulnerable to being decrypted.\n\nMany cryptographic algorithms provided by cryptography libraries are known to be weak, or flawed. Using such an algorithm means that an attacker may be able to easily decrypt the encrypted data.\n\n\n## Recommendation\nEnsure that you use a strong, modern cryptographic algorithm. Use at least AES-128 or RSA-2048. Do not use the ECB encryption mode since it is vulnerable to replay and other attacks.\n\n\n## Example\nThe following code shows an example of using a java `Cipher` to encrypt some data. When creating a `Cipher` instance, you must specify the encryption algorithm to use. The first example uses DES, which is an older algorithm that is now considered weak. The second example uses AES, which is a strong modern algorithm.\n\n\n```java\n// BAD: DES is a weak algorithm \nCipher des = Cipher.getInstance(\"DES\");\ncipher.init(Cipher.ENCRYPT_MODE, secretKeySpec);\n\nbyte[] encrypted = cipher.doFinal(input.getBytes(\"UTF-8\"));\n\n// ...\n\n// GOOD: AES is a strong algorithm\nCipher aes = Cipher.getInstance(\"AES\");\n\n// ...\n\n```\n\n## References\n* NIST, FIPS 140 Annex a: [ Approved Security Functions](http://csrc.nist.gov/publications/fips/fips140-2/fips1402annexa.pdf).\n* NIST, SP 800-131A: [ Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths](http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar1.pdf).\n* Common Weakness Enumeration: [CWE-327](https://cwe.mitre.org/data/definitions/327.html).\n* Common Weakness Enumeration: [CWE-328](https://cwe.mitre.org/data/definitions/328.html).\n" + }, + "properties": { + "tags": [ + "external/cwe/cwe-327", + "external/cwe/cwe-328", + "security" + ], + "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql", + "precision": "high", + "security-severity": "7.5" + } + }, + { + "id": "java/world-writable-file-read", + "name": "java/world-writable-file-read", + "shortDescription": { + "text": "Reading from a world writable file" + }, + "fullDescription": { + "text": "Reading from a file which is set as world writable is dangerous because the file may be modified or removed by external actors." + }, + "defaultConfiguration": { + "level": "error" + }, + "help": { + "text": "# Reading from a world writable file\nReading from a world-writable file is dangerous on a multi-user system because other users may be able to affect program execution by modifying or deleting the file.\n\n\n## Recommendation\nDo not make files explicitly world writable unless the file is intended to be written by multiple users on a multi-user system. In many cases, the file may only need to be writable for the current user.\n\nFor some file systems, there may be alternatives to setting the file to be world writable. For example, POSIX file systems support \"groups\" which may be used to ensure that only subset of all the users can write to the file. Access Control Lists (ACLs) are available for many operating system and file system combinations, and can provide fine-grained read and write support without resorting to world writable permissions.\n\n\n## Example\nIn the following example, we are loading some configuration parameters from a file:\n\n```java\n\nprivate void readConfig(File configFile) {\n if (!configFile.exists()) {\n // Create an empty config file\n configFile.createNewFile();\n // Make the file writable for all\n configFile.setWritable(true, false);\n }\n // Now read the config\n loadConfig(configFile);\n}\n\n```\nIf the configuration file does not yet exist, an empty file is created. Creating an empty file can simplify the later code and is a convenience for the user. However, by setting the file to be world writable, we allow any user on the system to modify the configuration, not just the current user. If there may be untrusted users on the system, this is potentially dangerous.\n\n\n## References\n* SEI CERT Oracle Coding Standard for Java: [FIO01-J. Create files with appropriate access permissions](https://wiki.sei.cmu.edu/confluence/display/java/FIO01-J.+Create+files+with+appropriate+access+permissions).\n* Common Weakness Enumeration: [CWE-732](https://cwe.mitre.org/data/definitions/732.html).\n", + "markdown": "# Reading from a world writable file\nReading from a world-writable file is dangerous on a multi-user system because other users may be able to affect program execution by modifying or deleting the file.\n\n\n## Recommendation\nDo not make files explicitly world writable unless the file is intended to be written by multiple users on a multi-user system. In many cases, the file may only need to be writable for the current user.\n\nFor some file systems, there may be alternatives to setting the file to be world writable. For example, POSIX file systems support \"groups\" which may be used to ensure that only subset of all the users can write to the file. Access Control Lists (ACLs) are available for many operating system and file system combinations, and can provide fine-grained read and write support without resorting to world writable permissions.\n\n\n## Example\nIn the following example, we are loading some configuration parameters from a file:\n\n```java\n\nprivate void readConfig(File configFile) {\n if (!configFile.exists()) {\n // Create an empty config file\n configFile.createNewFile();\n // Make the file writable for all\n configFile.setWritable(true, false);\n }\n // Now read the config\n loadConfig(configFile);\n}\n\n```\nIf the configuration file does not yet exist, an empty file is created. Creating an empty file can simplify the later code and is a convenience for the user. However, by setting the file to be world writable, we allow any user on the system to modify the configuration, not just the current user. If there may be untrusted users on the system, this is potentially dangerous.\n\n\n## References\n* SEI CERT Oracle Coding Standard for Java: [FIO01-J. Create files with appropriate access permissions](https://wiki.sei.cmu.edu/confluence/display/java/FIO01-J.+Create+files+with+appropriate+access+permissions).\n* Common Weakness Enumeration: [CWE-732](https://cwe.mitre.org/data/definitions/732.html).\n" + }, + "properties": { + "tags": [ + "external/cwe/cwe-732", + "security" + ], + "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-732/ReadingFromWorldWritableFile.ql", + "precision": "high", + "security-severity": "7.8" + } + }, + { + "id": "java/xml/xpath-injection", + "name": "java/xml/xpath-injection", + "shortDescription": { + "text": "XPath injection" + }, + "fullDescription": { + "text": "Building an XPath expression from user-controlled sources is vulnerable to insertion of malicious code by the user." + }, + "defaultConfiguration": { + "level": "error" + }, + "help": { + "text": "# XPath injection\nIf an XPath expression is built using string concatenation, and the components of the concatenation include user input, it makes it very easy for a user to create a malicious XPath expression.\n\n\n## Recommendation\nIf user input must be included in an XPath expression, either sanitize the data or pre-compile the query and use variable references to include the user input.\n\nXPath injection can also be prevented by using XQuery.\n\n\n## Example\nIn the first three examples, the code accepts a name and password specified by the user, and uses this unvalidated and unsanitized value in an XPath expression. This is vulnerable to the user providing special characters or string sequences that change the meaning of the XPath expression to search for different values.\n\nIn the fourth example, the code uses `setXPathVariableResolver` which prevents XPath injection.\n\nThe final two examples are for dom4j. They show an example of XPath injection and one method of preventing it.\n\n\n```java\nfinal String xmlStr = \"\" + \n \" \" + \n \" \" + \n \"\";\ntry {\n DocumentBuilderFactory domFactory = DocumentBuilderFactory.newInstance();\n domFactory.setNamespaceAware(true);\n DocumentBuilder builder = domFactory.newDocumentBuilder();\n //Document doc = builder.parse(\"user.xml\");\n Document doc = builder.parse(new InputSource(new StringReader(xmlStr)));\n\n XPathFactory factory = XPathFactory.newInstance();\n XPath xpath = factory.newXPath();\n\n // Injectable data\n String user = request.getParameter(\"user\");\n String pass = request.getParameter(\"pass\");\n if (user != null && pass != null) {\n boolean isExist = false;\n\n // Bad expression\n String expression1 = \"/users/user[@name='\" + user + \"' and @pass='\" + pass + \"']\";\n isExist = (boolean)xpath.evaluate(expression1, doc, XPathConstants.BOOLEAN);\n System.out.println(isExist);\n\n // Bad expression\n XPathExpression expression2 = xpath.compile(\"/users/user[@name='\" + user + \"' and @pass='\" + pass + \"']\");\n isExist = (boolean)expression2.evaluate(doc, XPathConstants.BOOLEAN);\n System.out.println(isExist);\n\n // Bad expression\n StringBuffer sb = new StringBuffer(\"/users/user[@name=\");\n sb.append(user);\n sb.append(\"' and @pass='\");\n sb.append(pass);\n sb.append(\"']\");\n String query = sb.toString();\n XPathExpression expression3 = xpath.compile(query);\n isExist = (boolean)expression3.evaluate(doc, XPathConstants.BOOLEAN);\n System.out.println(isExist);\n\n // Good expression\n String expression4 = \"/users/user[@name=$user and @pass=$pass]\";\n xpath.setXPathVariableResolver(v -> {\n switch (v.getLocalPart()) {\n case \"user\":\n return user;\n case \"pass\":\n return pass;\n default:\n throw new IllegalArgumentException();\n }\n });\n isExist = (boolean)xpath.evaluate(expression4, doc, XPathConstants.BOOLEAN);\n System.out.println(isExist);\n\n\n // Bad Dom4j \n org.dom4j.io.SAXReader reader = new org.dom4j.io.SAXReader();\n org.dom4j.Document document = reader.read(new InputSource(new StringReader(xmlStr)));\n isExist = document.selectSingleNode(\"/users/user[@name='\" + user + \"' and @pass='\" + pass + \"']\") != null;\n // or document.selectNodes\n System.out.println(isExist);\n\n // Good Dom4j\n org.jaxen.SimpleVariableContext svc = new org.jaxen.SimpleVariableContext();\n svc.setVariableValue(\"user\", user);\n svc.setVariableValue(\"pass\", pass);\n String xpathString = \"/users/user[@name=$user and @pass=$pass]\";\n org.dom4j.XPath safeXPath = document.createXPath(xpathString);\n safeXPath.setVariableContext(svc);\n isExist = safeXPath.selectSingleNode(document) != null;\n System.out.println(isExist);\n }\n} catch (ParserConfigurationException e) {\n\n} catch (SAXException e) {\n\n} catch (XPathExpressionException e) {\n\n} catch (org.dom4j.DocumentException e) {\n\n}\n```\n\n## References\n* OWASP: [Testing for XPath Injection](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/09-Testing_for_XPath_Injection).\n* OWASP: [XPath Injection](https://owasp.org/www-community/attacks/XPATH_Injection).\n* Common Weakness Enumeration: [CWE-643](https://cwe.mitre.org/data/definitions/643.html).\n", + "markdown": "# XPath injection\nIf an XPath expression is built using string concatenation, and the components of the concatenation include user input, it makes it very easy for a user to create a malicious XPath expression.\n\n\n## Recommendation\nIf user input must be included in an XPath expression, either sanitize the data or pre-compile the query and use variable references to include the user input.\n\nXPath injection can also be prevented by using XQuery.\n\n\n## Example\nIn the first three examples, the code accepts a name and password specified by the user, and uses this unvalidated and unsanitized value in an XPath expression. This is vulnerable to the user providing special characters or string sequences that change the meaning of the XPath expression to search for different values.\n\nIn the fourth example, the code uses `setXPathVariableResolver` which prevents XPath injection.\n\nThe final two examples are for dom4j. They show an example of XPath injection and one method of preventing it.\n\n\n```java\nfinal String xmlStr = \"\" + \n \" \" + \n \" \" + \n \"\";\ntry {\n DocumentBuilderFactory domFactory = DocumentBuilderFactory.newInstance();\n domFactory.setNamespaceAware(true);\n DocumentBuilder builder = domFactory.newDocumentBuilder();\n //Document doc = builder.parse(\"user.xml\");\n Document doc = builder.parse(new InputSource(new StringReader(xmlStr)));\n\n XPathFactory factory = XPathFactory.newInstance();\n XPath xpath = factory.newXPath();\n\n // Injectable data\n String user = request.getParameter(\"user\");\n String pass = request.getParameter(\"pass\");\n if (user != null && pass != null) {\n boolean isExist = false;\n\n // Bad expression\n String expression1 = \"/users/user[@name='\" + user + \"' and @pass='\" + pass + \"']\";\n isExist = (boolean)xpath.evaluate(expression1, doc, XPathConstants.BOOLEAN);\n System.out.println(isExist);\n\n // Bad expression\n XPathExpression expression2 = xpath.compile(\"/users/user[@name='\" + user + \"' and @pass='\" + pass + \"']\");\n isExist = (boolean)expression2.evaluate(doc, XPathConstants.BOOLEAN);\n System.out.println(isExist);\n\n // Bad expression\n StringBuffer sb = new StringBuffer(\"/users/user[@name=\");\n sb.append(user);\n sb.append(\"' and @pass='\");\n sb.append(pass);\n sb.append(\"']\");\n String query = sb.toString();\n XPathExpression expression3 = xpath.compile(query);\n isExist = (boolean)expression3.evaluate(doc, XPathConstants.BOOLEAN);\n System.out.println(isExist);\n\n // Good expression\n String expression4 = \"/users/user[@name=$user and @pass=$pass]\";\n xpath.setXPathVariableResolver(v -> {\n switch (v.getLocalPart()) {\n case \"user\":\n return user;\n case \"pass\":\n return pass;\n default:\n throw new IllegalArgumentException();\n }\n });\n isExist = (boolean)xpath.evaluate(expression4, doc, XPathConstants.BOOLEAN);\n System.out.println(isExist);\n\n\n // Bad Dom4j \n org.dom4j.io.SAXReader reader = new org.dom4j.io.SAXReader();\n org.dom4j.Document document = reader.read(new InputSource(new StringReader(xmlStr)));\n isExist = document.selectSingleNode(\"/users/user[@name='\" + user + \"' and @pass='\" + pass + \"']\") != null;\n // or document.selectNodes\n System.out.println(isExist);\n\n // Good Dom4j\n org.jaxen.SimpleVariableContext svc = new org.jaxen.SimpleVariableContext();\n svc.setVariableValue(\"user\", user);\n svc.setVariableValue(\"pass\", pass);\n String xpathString = \"/users/user[@name=$user and @pass=$pass]\";\n org.dom4j.XPath safeXPath = document.createXPath(xpathString);\n safeXPath.setVariableContext(svc);\n isExist = safeXPath.selectSingleNode(document) != null;\n System.out.println(isExist);\n }\n} catch (ParserConfigurationException e) {\n\n} catch (SAXException e) {\n\n} catch (XPathExpressionException e) {\n\n} catch (org.dom4j.DocumentException e) {\n\n}\n```\n\n## References\n* OWASP: [Testing for XPath Injection](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/09-Testing_for_XPath_Injection).\n* OWASP: [XPath Injection](https://owasp.org/www-community/attacks/XPATH_Injection).\n* Common Weakness Enumeration: [CWE-643](https://cwe.mitre.org/data/definitions/643.html).\n" + }, + "properties": { + "tags": [ + "external/cwe/cwe-643", + "security" + ], + "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-643/XPathInjection.ql", + "precision": "high", + "security-severity": "9.8" + } + }, + { + "id": "java/xslt-injection", + "name": "java/xslt-injection", + "shortDescription": { + "text": "XSLT transformation with user-controlled stylesheet" + }, + "fullDescription": { + "text": "Performing an XSLT transformation with user-controlled stylesheets can lead to information disclosure or execution of arbitrary code." + }, + "defaultConfiguration": { + "level": "error" + }, + "help": { + "text": "# XSLT transformation with user-controlled stylesheet\nXSLT (Extensible Stylesheet Language Transformations) is a language for transforming XML documents into other XML documents or other formats. Processing unvalidated XSLT stylesheets can allow attackers to read arbitrary files from the filesystem or to execute arbitrary code.\n\n\n## Recommendation\nThe general recommendation is to not process untrusted XSLT stylesheets. If user-provided stylesheets must be processed, enable the secure processing mode.\n\n\n## Example\nIn the following examples, the code accepts an XSLT stylesheet from the user and processes it.\n\nIn the first example, the user-provided XSLT stylesheet is parsed and processed.\n\nIn the second example, secure processing mode is enabled.\n\n\n```java\nimport javax.xml.XMLConstants;\nimport javax.xml.transform.TransformerFactory;\nimport javax.xml.transform.stream.StreamResult;\nimport javax.xml.transform.stream.StreamSource;\n\npublic void transform(Socket socket, String inputXml) throws Exception {\n StreamSource xslt = new StreamSource(socket.getInputStream());\n StreamSource xml = new StreamSource(new StringReader(inputXml));\n StringWriter result = new StringWriter();\n TransformerFactory factory = TransformerFactory.newInstance();\n\n // BAD: User provided XSLT stylesheet is processed\n factory.newTransformer(xslt).transform(xml, new StreamResult(result));\n\n // GOOD: The secure processing mode is enabled\n factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);\n factory.newTransformer(xslt).transform(xml, new StreamResult(result));\n} \n```\n\n## References\n* Wikipedia: [XSLT](https://en.wikipedia.org/wiki/XSLT).\n* The Java Tutorials: [Transforming XML Data with XSLT](https://docs.oracle.com/javase/tutorial/jaxp/xslt/transformingXML.html).\n* [XSLT Injection Basics](https://blog.hunniccyber.com/ektron-cms-remote-code-execution-xslt-transform-injection-java/).\n* Common Weakness Enumeration: [CWE-74](https://cwe.mitre.org/data/definitions/74.html).\n", + "markdown": "# XSLT transformation with user-controlled stylesheet\nXSLT (Extensible Stylesheet Language Transformations) is a language for transforming XML documents into other XML documents or other formats. Processing unvalidated XSLT stylesheets can allow attackers to read arbitrary files from the filesystem or to execute arbitrary code.\n\n\n## Recommendation\nThe general recommendation is to not process untrusted XSLT stylesheets. If user-provided stylesheets must be processed, enable the secure processing mode.\n\n\n## Example\nIn the following examples, the code accepts an XSLT stylesheet from the user and processes it.\n\nIn the first example, the user-provided XSLT stylesheet is parsed and processed.\n\nIn the second example, secure processing mode is enabled.\n\n\n```java\nimport javax.xml.XMLConstants;\nimport javax.xml.transform.TransformerFactory;\nimport javax.xml.transform.stream.StreamResult;\nimport javax.xml.transform.stream.StreamSource;\n\npublic void transform(Socket socket, String inputXml) throws Exception {\n StreamSource xslt = new StreamSource(socket.getInputStream());\n StreamSource xml = new StreamSource(new StringReader(inputXml));\n StringWriter result = new StringWriter();\n TransformerFactory factory = TransformerFactory.newInstance();\n\n // BAD: User provided XSLT stylesheet is processed\n factory.newTransformer(xslt).transform(xml, new StreamResult(result));\n\n // GOOD: The secure processing mode is enabled\n factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);\n factory.newTransformer(xslt).transform(xml, new StreamResult(result));\n} \n```\n\n## References\n* Wikipedia: [XSLT](https://en.wikipedia.org/wiki/XSLT).\n* The Java Tutorials: [Transforming XML Data with XSLT](https://docs.oracle.com/javase/tutorial/jaxp/xslt/transformingXML.html).\n* [XSLT Injection Basics](https://blog.hunniccyber.com/ektron-cms-remote-code-execution-xslt-transform-injection-java/).\n* Common Weakness Enumeration: [CWE-74](https://cwe.mitre.org/data/definitions/74.html).\n" + }, + "properties": { + "tags": [ + "external/cwe/cwe-074", + "security" + ], + "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-074/XsltInjection.ql", + "precision": "high", + "security-severity": "9.8" + } + }, + { + "id": "java/xss", + "name": "java/xss", + "shortDescription": { + "text": "Cross-site scripting" + }, + "fullDescription": { + "text": "Writing user input directly to a web page allows for a cross-site scripting vulnerability." + }, + "defaultConfiguration": { + "level": "error" + }, + "help": { + "text": "# Cross-site scripting\nDirectly writing user input (for example, an HTTP request parameter) to a web page, without properly sanitizing the input first, allows for a cross-site scripting vulnerability.\n\n\n## Recommendation\nTo guard against cross-site scripting, consider using contextual output encoding/escaping before writing user input to the page, or one of the other solutions that are mentioned in the reference.\n\n\n## Example\nThe following example shows the `page` parameter being written directly to the page, leaving the website vulnerable to cross-site scripting.\n\n\n```java\npublic class XSS extends HttpServlet {\n\tprotected void doGet(HttpServletRequest request, HttpServletResponse response)\n\tthrows ServletException, IOException {\n\t\t// BAD: a request parameter is written directly to the Servlet response stream\n\t\tresponse.getWriter().print(\n\t\t\t\t\"The page \\\"\" + request.getParameter(\"page\") + \"\\\" was not found.\");\n\n\t}\n}\n\n```\n\n## References\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n", + "markdown": "# Cross-site scripting\nDirectly writing user input (for example, an HTTP request parameter) to a web page, without properly sanitizing the input first, allows for a cross-site scripting vulnerability.\n\n\n## Recommendation\nTo guard against cross-site scripting, consider using contextual output encoding/escaping before writing user input to the page, or one of the other solutions that are mentioned in the reference.\n\n\n## Example\nThe following example shows the `page` parameter being written directly to the page, leaving the website vulnerable to cross-site scripting.\n\n\n```java\npublic class XSS extends HttpServlet {\n\tprotected void doGet(HttpServletRequest request, HttpServletResponse response)\n\tthrows ServletException, IOException {\n\t\t// BAD: a request parameter is written directly to the Servlet response stream\n\t\tresponse.getWriter().print(\n\t\t\t\t\"The page \\\"\" + request.getParameter(\"page\") + \"\\\" was not found.\");\n\n\t}\n}\n\n```\n\n## References\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n" + }, + "properties": { + "tags": [ + "external/cwe/cwe-079", + "security" + ], + "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-079/XSS.ql", + "precision": "high", + "security-severity": "6.1" + } + }, + { + "id": "java/xxe", + "name": "java/xxe", + "shortDescription": { + "text": "Resolving XML external entity in user-controlled data" + }, + "fullDescription": { + "text": "Parsing user-controlled XML documents and allowing expansion of external entity references may lead to disclosure of confidential data or denial of service." + }, + "defaultConfiguration": { + "level": "error" + }, + "help": { + "text": "# Resolving XML external entity in user-controlled data\nParsing untrusted XML files with a weakly configured XML parser may lead to an XML External Entity (XXE) attack. This type of attack uses external entity references to access arbitrary files on a system, carry out denial of service, or server side request forgery. Even when the result of parsing is not returned to the user, out-of-band data retrieval techniques may allow attackers to steal sensitive data. Denial of services can also be carried out in this situation.\n\nThere are many XML parsers for Java, and most of them are vulnerable to XXE because their default settings enable parsing of external entities. This query currently identifies vulnerable XML parsing from the following parsers: `javax.xml.parsers.DocumentBuilder`, `javax.xml.stream.XMLStreamReader`, `org.jdom.input.SAXBuilder`/`org.jdom2.input.SAXBuilder`, `javax.xml.parsers.SAXParser`,`org.dom4j.io.SAXReader`, `org.xml.sax.XMLReader`, `javax.xml.transform.sax.SAXSource`, `javax.xml.transform.TransformerFactory`, `javax.xml.transform.sax.SAXTransformerFactory`, `javax.xml.validation.SchemaFactory`, `javax.xml.bind.Unmarshaller` and `javax.xml.xpath.XPathExpression`.\n\n\n## Recommendation\nThe best way to prevent XXE attacks is to disable the parsing of any Document Type Declarations (DTDs) in untrusted data. If this is not possible you should disable the parsing of external general entities and external parameter entities. This improves security but the code will still be at risk of denial of service and server side request forgery attacks. Protection against denial of service attacks may also be implemented by setting entity expansion limits, which is done by default in recent JDK and JRE implementations. We recommend visiting OWASP's [XML Entity Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#java), finding the specific XML parser, and applying the mitigation listed there. Other mitigations might be sufficient in some cases, but manual verification will be needed, as the query will continue to flag the parser as potentially dangerous.\n\n\n## Example\nThe following example calls `parse` on a `DocumentBuilder` that is not safely configured on untrusted data, and is therefore inherently unsafe.\n\n\n```java\npublic void parse(Socket sock) throws Exception {\n DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();\n DocumentBuilder builder = factory.newDocumentBuilder();\n builder.parse(sock.getInputStream()); //unsafe\n}\n\n```\nIn this example, the `DocumentBuilder` is created with DTD disabled, securing it against XXE attack.\n\n\n```java\npublic void disableDTDParse(Socket sock) throws Exception {\n DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();\n factory.setFeature(\"http://apache.org/xml/features/disallow-doctype-decl\", true);\n DocumentBuilder builder = factory.newDocumentBuilder();\n builder.parse(sock.getInputStream()); //safe\n}\n\n```\n\n## References\n* OWASP vulnerability description: [XML External Entity (XXE) Processing](https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing).\n* OWASP guidance on parsing xml files: [XXE Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#java).\n* Paper by Timothy Morgen: [XML Schema, DTD, and Entity Attacks](https://research.nccgroup.com/2014/05/19/xml-schema-dtd-and-entity-attacks-a-compendium-of-known-techniques/)\n* Out-of-band data retrieval: Timur Yunusov & Alexey Osipov, Black hat EU 2013: [XML Out-Of-Band Data Retrieval](https://www.slideshare.net/qqlan/bh-ready-v4).\n* Denial of service attack (Billion laughs): [Billion Laughs.](https://en.wikipedia.org/wiki/Billion_laughs)\n* The Java Tutorials: [Processing Limit Definitions.](https://docs.oracle.com/javase/tutorial/jaxp/limits/limits.html)\n* Common Weakness Enumeration: [CWE-611](https://cwe.mitre.org/data/definitions/611.html).\n* Common Weakness Enumeration: [CWE-776](https://cwe.mitre.org/data/definitions/776.html).\n* Common Weakness Enumeration: [CWE-827](https://cwe.mitre.org/data/definitions/827.html).\n", + "markdown": "# Resolving XML external entity in user-controlled data\nParsing untrusted XML files with a weakly configured XML parser may lead to an XML External Entity (XXE) attack. This type of attack uses external entity references to access arbitrary files on a system, carry out denial of service, or server side request forgery. Even when the result of parsing is not returned to the user, out-of-band data retrieval techniques may allow attackers to steal sensitive data. Denial of services can also be carried out in this situation.\n\nThere are many XML parsers for Java, and most of them are vulnerable to XXE because their default settings enable parsing of external entities. This query currently identifies vulnerable XML parsing from the following parsers: `javax.xml.parsers.DocumentBuilder`, `javax.xml.stream.XMLStreamReader`, `org.jdom.input.SAXBuilder`/`org.jdom2.input.SAXBuilder`, `javax.xml.parsers.SAXParser`,`org.dom4j.io.SAXReader`, `org.xml.sax.XMLReader`, `javax.xml.transform.sax.SAXSource`, `javax.xml.transform.TransformerFactory`, `javax.xml.transform.sax.SAXTransformerFactory`, `javax.xml.validation.SchemaFactory`, `javax.xml.bind.Unmarshaller` and `javax.xml.xpath.XPathExpression`.\n\n\n## Recommendation\nThe best way to prevent XXE attacks is to disable the parsing of any Document Type Declarations (DTDs) in untrusted data. If this is not possible you should disable the parsing of external general entities and external parameter entities. This improves security but the code will still be at risk of denial of service and server side request forgery attacks. Protection against denial of service attacks may also be implemented by setting entity expansion limits, which is done by default in recent JDK and JRE implementations. We recommend visiting OWASP's [XML Entity Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#java), finding the specific XML parser, and applying the mitigation listed there. Other mitigations might be sufficient in some cases, but manual verification will be needed, as the query will continue to flag the parser as potentially dangerous.\n\n\n## Example\nThe following example calls `parse` on a `DocumentBuilder` that is not safely configured on untrusted data, and is therefore inherently unsafe.\n\n\n```java\npublic void parse(Socket sock) throws Exception {\n DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();\n DocumentBuilder builder = factory.newDocumentBuilder();\n builder.parse(sock.getInputStream()); //unsafe\n}\n\n```\nIn this example, the `DocumentBuilder` is created with DTD disabled, securing it against XXE attack.\n\n\n```java\npublic void disableDTDParse(Socket sock) throws Exception {\n DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();\n factory.setFeature(\"http://apache.org/xml/features/disallow-doctype-decl\", true);\n DocumentBuilder builder = factory.newDocumentBuilder();\n builder.parse(sock.getInputStream()); //safe\n}\n\n```\n\n## References\n* OWASP vulnerability description: [XML External Entity (XXE) Processing](https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing).\n* OWASP guidance on parsing xml files: [XXE Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#java).\n* Paper by Timothy Morgen: [XML Schema, DTD, and Entity Attacks](https://research.nccgroup.com/2014/05/19/xml-schema-dtd-and-entity-attacks-a-compendium-of-known-techniques/)\n* Out-of-band data retrieval: Timur Yunusov & Alexey Osipov, Black hat EU 2013: [XML Out-Of-Band Data Retrieval](https://www.slideshare.net/qqlan/bh-ready-v4).\n* Denial of service attack (Billion laughs): [Billion Laughs.](https://en.wikipedia.org/wiki/Billion_laughs)\n* The Java Tutorials: [Processing Limit Definitions.](https://docs.oracle.com/javase/tutorial/jaxp/limits/limits.html)\n* Common Weakness Enumeration: [CWE-611](https://cwe.mitre.org/data/definitions/611.html).\n* Common Weakness Enumeration: [CWE-776](https://cwe.mitre.org/data/definitions/776.html).\n* Common Weakness Enumeration: [CWE-827](https://cwe.mitre.org/data/definitions/827.html).\n" + }, + "properties": { + "tags": [ + "external/cwe/cwe-611", + "external/cwe/cwe-776", + "external/cwe/cwe-827", + "security" + ], + "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-611/XXE.ql", + "precision": "high", + "security-severity": "9.1" + } + }, + { + "id": "java/zipslip", + "name": "java/zipslip", + "shortDescription": { + "text": "Arbitrary file access during archive extraction (\"Zip Slip\")" + }, + "fullDescription": { + "text": "Extracting files from a malicious ZIP file, or similar type of archive, without validating that the destination file path is within the destination directory can allow an attacker to unexpectedly gain access to resources." + }, + "defaultConfiguration": { + "level": "error" + }, + "help": { + "text": "# Arbitrary file access during archive extraction (\"Zip Slip\")\nExtracting files from a malicious zip file, or similar type of archive, is at risk of directory traversal attacks if filenames from the archive are not properly validated.\n\nZip archives contain archive entries representing each file in the archive. These entries include a file path for the entry, but these file paths are not restricted and may contain unexpected special elements such as the directory traversal element (`..`). If these file paths are used to create a filesystem path, then a file operation may happen in an unexpected location. This can result in sensitive information being revealed or deleted, or an attacker being able to influence behavior by modifying unexpected files.\n\nFor example, if a zip file contains a file entry `..\\sneaky-file`, and the zip file is extracted to the directory `c:\\output`, then naively combining the paths would result in an output file path of `c:\\output\\..\\sneaky-file`, which would cause the file to be written to `c:\\sneaky-file`.\n\n\n## Recommendation\nEnsure that output paths constructed from zip archive entries are validated to prevent writing files to unexpected locations.\n\nThe recommended way of writing an output file from a zip archive entry is to verify that the normalized full path of the output file starts with a prefix that matches the destination directory. Path normalization can be done with either `java.io.File.getCanonicalFile()` or `java.nio.file.Path.normalize()`. Prefix checking can be done with `String.startsWith(..)`, but it is better to use `java.nio.file.Path.startsWith(..)`, as the latter works on complete path segments.\n\nAnother alternative is to validate archive entries against a whitelist of expected files.\n\n\n## Example\nIn this example, a file path taken from a zip archive item entry is combined with a destination directory. The result is used as the destination file path without verifying that the result is within the destination directory. If provided with a zip file containing an archive path like `..\\sneaky-file`, then this file would be written outside the destination directory.\n\n\n```java\nvoid writeZipEntry(ZipEntry entry, File destinationDir) {\n File file = new File(destinationDir, entry.getName());\n FileOutputStream fos = new FileOutputStream(file); // BAD\n // ... write entry to fos ...\n}\n\n```\nTo fix this vulnerability, we need to verify that the normalized `file` still has `destinationDir` as its prefix, and throw an exception if this is not the case.\n\n\n```java\nvoid writeZipEntry(ZipEntry entry, File destinationDir) {\n File file = new File(destinationDir, entry.getName());\n if (!file.toPath().normalize().startsWith(destinationDir.toPath()))\n throw new Exception(\"Bad zip entry\");\n FileOutputStream fos = new FileOutputStream(file); // OK\n // ... write entry to fos ...\n}\n\n```\n\n## References\n* Snyk: [Zip Slip Vulnerability](https://snyk.io/research/zip-slip-vulnerability).\n* OWASP: [Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal).\n* Common Weakness Enumeration: [CWE-22](https://cwe.mitre.org/data/definitions/22.html).\n", + "markdown": "# Arbitrary file access during archive extraction (\"Zip Slip\")\nExtracting files from a malicious zip file, or similar type of archive, is at risk of directory traversal attacks if filenames from the archive are not properly validated.\n\nZip archives contain archive entries representing each file in the archive. These entries include a file path for the entry, but these file paths are not restricted and may contain unexpected special elements such as the directory traversal element (`..`). If these file paths are used to create a filesystem path, then a file operation may happen in an unexpected location. This can result in sensitive information being revealed or deleted, or an attacker being able to influence behavior by modifying unexpected files.\n\nFor example, if a zip file contains a file entry `..\\sneaky-file`, and the zip file is extracted to the directory `c:\\output`, then naively combining the paths would result in an output file path of `c:\\output\\..\\sneaky-file`, which would cause the file to be written to `c:\\sneaky-file`.\n\n\n## Recommendation\nEnsure that output paths constructed from zip archive entries are validated to prevent writing files to unexpected locations.\n\nThe recommended way of writing an output file from a zip archive entry is to verify that the normalized full path of the output file starts with a prefix that matches the destination directory. Path normalization can be done with either `java.io.File.getCanonicalFile()` or `java.nio.file.Path.normalize()`. Prefix checking can be done with `String.startsWith(..)`, but it is better to use `java.nio.file.Path.startsWith(..)`, as the latter works on complete path segments.\n\nAnother alternative is to validate archive entries against a whitelist of expected files.\n\n\n## Example\nIn this example, a file path taken from a zip archive item entry is combined with a destination directory. The result is used as the destination file path without verifying that the result is within the destination directory. If provided with a zip file containing an archive path like `..\\sneaky-file`, then this file would be written outside the destination directory.\n\n\n```java\nvoid writeZipEntry(ZipEntry entry, File destinationDir) {\n File file = new File(destinationDir, entry.getName());\n FileOutputStream fos = new FileOutputStream(file); // BAD\n // ... write entry to fos ...\n}\n\n```\nTo fix this vulnerability, we need to verify that the normalized `file` still has `destinationDir` as its prefix, and throw an exception if this is not the case.\n\n\n```java\nvoid writeZipEntry(ZipEntry entry, File destinationDir) {\n File file = new File(destinationDir, entry.getName());\n if (!file.toPath().normalize().startsWith(destinationDir.toPath()))\n throw new Exception(\"Bad zip entry\");\n FileOutputStream fos = new FileOutputStream(file); // OK\n // ... write entry to fos ...\n}\n\n```\n\n## References\n* Snyk: [Zip Slip Vulnerability](https://snyk.io/research/zip-slip-vulnerability).\n* OWASP: [Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal).\n* Common Weakness Enumeration: [CWE-22](https://cwe.mitre.org/data/definitions/22.html).\n" + }, + "properties": { + "tags": [ + "external/cwe/cwe-022", + "security" + ], + "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-022/ZipSlip.ql", + "precision": "high", + "security-severity": "7.5" + } + } + ] + }, + { + "name": "codeql/java-all", + "semanticVersion": "4.2.0+39a67b6e2e6490a9bd010db50e148f647765e9f7" + }, + { + "name": "codeql/threat-models", + "semanticVersion": "1.0.11+39a67b6e2e6490a9bd010db50e148f647765e9f7" + } + ] + }, + "conversion": { + "tool": { + "driver": { + "name": "GitHub Code Scanning" + } + } + }, + "versionControlProvenance": [ + { + "repositoryUri": "https://github.com/hintwatermelon/roller", + "revisionId": "46cdd370714647a468f6ce422adde3d5e8323375", + "branch": "refs/heads/master" + } + ], + "artifacts": [ + { + "location": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/FolderEdit.java", + "index": 0 + } + }, + { + "location": { + "uri": "app/src/main/java/org/apache/roller/weblogger/webservices/oauth/AuthorizationServlet.java", + "index": 1 + } + }, + { + "location": { + "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java", + "index": 2 + } + }, + { + "location": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java", + "index": 3 + } + }, + { + "location": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java", + "index": 4 + } + }, + { + "location": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java", + "index": 5 + } + }, + { + "location": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java", + "index": 6 + } + }, + { + "location": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + } + }, + { + "location": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + } + }, + { + "location": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + } + }, + { + "location": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + } + }, + { + "location": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java", + "index": 11 + } + }, + { + "location": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java", + "index": 12 + } + }, + { + "location": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + } + }, + { + "location": { + "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java", + "index": 14 + } + }, + { + "location": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/rendering/servlets/CommentAuthenticatorServlet.java", + "index": 15 + } + }, + { + "location": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/rendering/plugins/comments/LdapCommentAuthenticator.java", + "index": 16 + } + }, + { + "location": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarksImport.java", + "index": 17 + } + }, + { + "location": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/MediaFileAdd.java", + "index": 18 + } + }, + { + "location": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/MediaFileEdit.java", + "index": 19 + } + }, + { + "location": { + "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java", + "index": 20 + } + }, + { + "location": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java", + "index": 21 + } + }, + { + "location": { + "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java", + "index": 22 + } + }, + { + "location": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java", + "index": 23 + } + }, + { + "location": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java", + "index": 24 + } + }, + { + "location": { + "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java", + "index": 25 + } + }, + { + "location": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/CreateUserBean.java", + "index": 26 + } + }, + { + "location": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkEdit.java", + "index": 27 + } + }, + { + "location": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkBean.java", + "index": 28 + } + }, + { + "location": { + "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogBookmark.java", + "index": 29 + } + }, + { + "location": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java", + "index": 30 + } + }, + { + "location": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/PluginManagerImpl.java", + "index": 31 + } + }, + { + "location": { + "uri": "app/src/main/java/org/apache/roller/weblogger/util/Bannedwordslist.java", + "index": 32 + } + }, + { + "location": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/WeblogConfig.java", + "index": 33 + } + }, + { + "location": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/WeblogConfigBean.java", + "index": 34 + } + }, + { + "location": { + "uri": "app/src/main/java/org/apache/roller/planet/business/fetcher/RomeFeedFetcher.java", + "index": 35 + } + }, + { + "location": { + "uri": "app/src/main/java/org/apache/roller/weblogger/planet/ui/PlanetGroupSubs.java", + "index": 36 + } + }, + { + "location": { + "uri": "app/src/main/java/org/apache/roller/weblogger/planet/business/WebloggerRomeFeedFetcher.java", + "index": 37 + } + }, + { + "location": { + "uri": "app/src/main/java/org/apache/roller/weblogger/util/MediacastUtil.java", + "index": 38 + } + }, + { + "location": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryBean.java", + "index": 39 + } + }, + { + "location": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/rendering/servlets/TrackbackServlet.java", + "index": 40 + } + } + ], + "results": [ + { + "ruleId": "java/http-response-splitting", + "rule": { + "id": "java/http-response-splitting", + "index": 15, + "toolComponent": { + "index": 0 + } + }, + "level": "error", + "message": { + "text": "This header depends on a [user-provided value](1), which may cause a response-splitting vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/FolderEdit.java", + "index": 0 + }, + "region": { + "startLine": 133, + "startColumn": 59, + "endLine": 133, + "endColumn": 76 + } + } + } + ], + "correlationGuid": "aa4c5176-3f0c-485c-9bdc-1c9cd2023d09", + "partialFingerprints": { + "primaryLocationLineHash": "a43352b656264e63:1" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/FolderEdit.java", + "index": 0 + }, + "region": { + "startLine": 49, + "startColumn": 20, + "endLine": 49, + "endColumn": 28 + } + }, + "message": { + "text": "folderId : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/FolderEdit.java", + "index": 0 + }, + "region": { + "startLine": 131, + "startColumn": 44, + "endLine": 131, + "endColumn": 52 + } + }, + "message": { + "text": "folderId : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/FolderEdit.java", + "index": 0 + }, + "region": { + "startLine": 131, + "startColumn": 44, + "endLine": 131, + "endColumn": 70 + } + }, + "message": { + "text": "replace(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/FolderEdit.java", + "index": 0 + }, + "region": { + "startLine": 131, + "startColumn": 44, + "endLine": 131, + "endColumn": 88 + } + }, + "message": { + "text": "replace(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/FolderEdit.java", + "index": 0 + }, + "region": { + "startLine": 133, + "startColumn": 59, + "endLine": 133, + "endColumn": 76 + } + }, + "message": { + "text": "sanetizedFolderID" + } + } + } + ] + } + ] + } + ], + "relatedLocations": [ + { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/FolderEdit.java", + "index": 0 + }, + "region": { + "startLine": 49, + "startColumn": 20, + "endLine": 49, + "endColumn": 28 + } + }, + "message": { + "text": "user-provided value" + } + } + ], + "properties": { + "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/8", + "github/alertNumber": 8 + } + }, + { + "ruleId": "java/http-response-splitting", + "rule": { + "id": "java/http-response-splitting", + "index": 15, + "toolComponent": { + "index": 0 + } + }, + "level": "error", + "message": { + "text": "This header depends on a [user-provided value](1), which may cause a response-splitting vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/webservices/oauth/AuthorizationServlet.java", + "index": 1 + }, + "region": { + "startLine": 155, + "startColumn": 44, + "endLine": 155, + "endColumn": 52 + } + } + } + ], + "correlationGuid": "9a544acb-9e25-40b7-84ea-6f48b454f3fb", + "partialFingerprints": { + "primaryLocationLineHash": "41fbc440cf27dfd0:1" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/webservices/oauth/AuthorizationServlet.java", + "index": 1 + }, + "region": { + "startLine": 127, + "startColumn": 27, + "endLine": 127, + "endColumn": 65 + } + }, + "message": { + "text": "getParameter(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/webservices/oauth/AuthorizationServlet.java", + "index": 1 + }, + "region": { + "startLine": 155, + "startColumn": 44, + "endLine": 155, + "endColumn": 52 + } + }, + "message": { + "text": "callback" + } + } + } + ] + } + ] + } + ], + "relatedLocations": [ + { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/webservices/oauth/AuthorizationServlet.java", + "index": 0 + }, + "region": { + "startLine": 127, + "startColumn": 27, + "endLine": 127, + "endColumn": 65 + } + }, + "message": { + "text": "user-provided value" + } + } + ], + "properties": { + "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/9", + "github/alertNumber": 9 + } + }, + { + "ruleId": "java/insecure-randomness", + "rule": { + "id": "java/insecure-randomness", + "index": 22, + "toolComponent": { + "index": 0 + } + }, + "message": { + "text": "Potential Insecure randomness due to a [Insecure randomness source.](1).\nPotential Insecure randomness due to a [Insecure randomness source.](2)." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java", + "index": 2 + }, + "region": { + "startLine": 121, + "startColumn": 36, + "endLine": 121, + "endColumn": 47 + } + } + } + ], + "correlationGuid": "bd7483e8-25f4-41a7-bc67-785e5ccb280d", + "partialFingerprints": { + "primaryLocationLineHash": "ebe2869d4f29cd7e:1" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java", + "index": 3 + }, + "region": { + "startLine": 161, + "startColumn": 39, + "endLine": 161, + "endColumn": 80 + } + }, + "message": { + "text": "randomAlphanumeric(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java", + "index": 3 + }, + "region": { + "startLine": 162, + "startColumn": 36, + "endLine": 162, + "endColumn": 48 + } + }, + "message": { + "text": "randomString : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java", + "index": 2 + }, + "region": { + "startLine": 119, + "startColumn": 31, + "endLine": 119, + "endColumn": 49 + } + }, + "message": { + "text": "newPassword : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java", + "index": 2 + }, + "region": { + "startLine": 121, + "startColumn": 36, + "endLine": 121, + "endColumn": 47 + } + }, + "message": { + "text": "newPassword" + } + } + } + ] + } + ] + }, + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java", + "index": 4 + }, + "region": { + "startLine": 110, + "startColumn": 39, + "endLine": 110, + "endColumn": 80 + } + }, + "message": { + "text": "randomAlphanumeric(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java", + "index": 4 + }, + "region": { + "startLine": 111, + "startColumn": 44, + "endLine": 111, + "endColumn": 56 + } + }, + "message": { + "text": "randomString : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java", + "index": 2 + }, + "region": { + "startLine": 119, + "startColumn": 31, + "endLine": 119, + "endColumn": 49 + } + }, + "message": { + "text": "newPassword : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java", + "index": 2 + }, + "region": { + "startLine": 121, + "startColumn": 36, + "endLine": 121, + "endColumn": 47 + } + }, + "message": { + "text": "newPassword" + } + } + } + ] + } + ] + } + ], + "relatedLocations": [ + { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java", + "index": 0 + }, + "region": { + "startLine": 161, + "startColumn": 39, + "endLine": 161, + "endColumn": 80 + } + }, + "message": { + "text": "Insecure randomness source." + } + }, + { + "id": 2, + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java", + "index": 0 + }, + "region": { + "startLine": 110, + "startColumn": 39, + "endLine": 110, + "endColumn": 80 + } + }, + "message": { + "text": "Insecure randomness source." + } + } + ], + "properties": { + "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/10", + "github/alertNumber": 10 + } + }, + { + "ruleId": "java/insecure-randomness", + "rule": { + "id": "java/insecure-randomness", + "index": 22, + "toolComponent": { + "index": 0 + } + }, + "message": { + "text": "Potential Insecure randomness due to a [Insecure randomness source.](1)." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java", + "index": 5 + }, + "region": { + "startLine": 122, + "startColumn": 29, + "endLine": 122, + "endColumn": 41 + } + } + } + ], + "correlationGuid": "42e549d2-c275-4945-bf40-d6bebb689d9d", + "partialFingerprints": { + "primaryLocationLineHash": "a706f813f09b282d:1" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java", + "index": 6 + }, + "region": { + "startLine": 370, + "startColumn": 35, + "endLine": 370, + "endColumn": 76 + } + }, + "message": { + "text": "randomAlphanumeric(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java", + "index": 6 + }, + "region": { + "startLine": 371, + "startColumn": 39, + "endLine": 371, + "endColumn": 51 + } + }, + "message": { + "text": "randomString : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java", + "index": 5 + }, + "region": { + "startLine": 121, + "startColumn": 33, + "endLine": 121, + "endColumn": 52 + } + }, + "message": { + "text": "passwordText : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java", + "index": 5 + }, + "region": { + "startLine": 122, + "startColumn": 29, + "endLine": 122, + "endColumn": 41 + } + }, + "message": { + "text": "passwordText" + } + } + } + ] + } + ] + } + ], + "relatedLocations": [ + { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java", + "index": 0 + }, + "region": { + "startLine": 370, + "startColumn": 35, + "endLine": 370, + "endColumn": 76 + } + }, + "message": { + "text": "Insecure randomness source." + } + } + ], + "properties": { + "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/11", + "github/alertNumber": 11 + } + }, + { + "ruleId": "java/insecure-randomness", + "rule": { + "id": "java/insecure-randomness", + "index": 22, + "toolComponent": { + "index": 0 + } + }, + "message": { + "text": "Potential Insecure randomness due to a [Insecure randomness source.](1)." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java", + "index": 5 + }, + "region": { + "startLine": 130, + "startColumn": 32, + "endLine": 130, + "endColumn": 47 + } + } + } + ], + "correlationGuid": "d090be49-7c07-4548-be1c-d6a277e20f2e", + "partialFingerprints": { + "primaryLocationLineHash": "a7e8967f80765bad:1" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java", + "index": 6 + }, + "region": { + "startLine": 370, + "startColumn": 35, + "endLine": 370, + "endColumn": 76 + } + }, + "message": { + "text": "randomAlphanumeric(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java", + "index": 6 + }, + "region": { + "startLine": 372, + "startColumn": 42, + "endLine": 372, + "endColumn": 54 + } + }, + "message": { + "text": "randomString : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java", + "index": 5 + }, + "region": { + "startLine": 129, + "startColumn": 36, + "endLine": 129, + "endColumn": 58 + } + }, + "message": { + "text": "passwordConfirm : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java", + "index": 5 + }, + "region": { + "startLine": 130, + "startColumn": 32, + "endLine": 130, + "endColumn": 47 + } + }, + "message": { + "text": "passwordConfirm" + } + } + } + ] + } + ] + } + ], + "relatedLocations": [ + { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java", + "index": 0 + }, + "region": { + "startLine": 370, + "startColumn": 35, + "endLine": 370, + "endColumn": 76 + } + }, + "message": { + "text": "Insecure randomness source." + } + } + ], + "properties": { + "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/12", + "github/alertNumber": 12 + } + }, + { + "ruleId": "java/unvalidated-url-redirection", + "rule": { + "id": "java/unvalidated-url-redirection", + "index": 66, + "toolComponent": { + "index": 0 + } + }, + "level": "error", + "message": { + "text": "Untrusted URL redirection depends on a [user-provided value](1)." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/webservices/oauth/AuthorizationServlet.java", + "index": 1 + }, + "region": { + "startLine": 155, + "startColumn": 44, + "endLine": 155, + "endColumn": 52 + } + } + } + ], + "correlationGuid": "5bb7aec0-639e-4365-93a7-e41e00f18ec6", + "partialFingerprints": { + "primaryLocationLineHash": "41fbc440cf27dfd0:1" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/webservices/oauth/AuthorizationServlet.java", + "index": 1 + }, + "region": { + "startLine": 127, + "startColumn": 27, + "endLine": 127, + "endColumn": 65 + } + }, + "message": { + "text": "getParameter(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/webservices/oauth/AuthorizationServlet.java", + "index": 1 + }, + "region": { + "startLine": 155, + "startColumn": 44, + "endLine": 155, + "endColumn": 52 + } + }, + "message": { + "text": "callback" + } + } + } + ] + } + ] + } + ], + "relatedLocations": [ + { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/webservices/oauth/AuthorizationServlet.java", + "index": 0 + }, + "region": { + "startLine": 127, + "startColumn": 27, + "endLine": 127, + "endColumn": 65 + } + }, + "message": { + "text": "user-provided value" + } + } + ], + "properties": { + "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/13", + "github/alertNumber": 13 + } + }, + { + "ruleId": "java/xss", + "rule": { + "id": "java/xss", + "index": 71, + "toolComponent": { + "index": 0 + } + }, + "level": "error", + "message": { + "text": "Cross-site scripting vulnerability due to a [user-provided value](1)." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 188, + "startColumn": 26, + "endLine": 190, + "endColumn": 70 + } + } + } + ], + "correlationGuid": "ba9b5766-17b3-4de4-a1b7-79df1e478644", + "partialFingerprints": { + "primaryLocationLineHash": "cccb6385104d4c00:1" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 88, + "startColumn": 42, + "endLine": 88, + "endColumn": 65 + } + }, + "message": { + "text": "getRequestURL(...) : StringBuffer" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 88, + "startColumn": 42, + "endLine": 88, + "endColumn": 76 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 99, + "startColumn": 118, + "endLine": 99, + "endColumn": 135 + } + }, + "message": { + "text": "requestURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 116, + "startColumn": 40, + "endLine": 116, + "endColumn": 47 + } + }, + "message": { + "text": "fullUrl : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 137, + "startColumn": 49, + "endLine": 137, + "endColumn": 59 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 141, + "startColumn": 16, + "endLine": 141, + "endColumn": 19 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 116, + "startColumn": 20, + "endLine": 116, + "endColumn": 48 + } + }, + "message": { + "text": "removeTrailingSlash(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 86, + "startColumn": 16, + "endLine": 88, + "endColumn": 77 + } + }, + "message": { + "text": "getAbsoluteUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 66, + "startColumn": 34, + "endLine": 66, + "endColumn": 62 + } + }, + "message": { + "text": "getAbsoluteUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 69, + "startColumn": 62, + "endLine": 69, + "endColumn": 69 + } + }, + "message": { + "text": "absPath : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 175, + "startColumn": 46, + "endLine": 175, + "endColumn": 56 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 176, + "startColumn": 30, + "endLine": 176, + "endColumn": 33 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 51, + "startColumn": 27, + "endLine": 51, + "endColumn": 45 + } + }, + "message": { + "text": "absoluteContextURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 195, + "startColumn": 16, + "endLine": 195, + "endColumn": 34 + } + }, + "message": { + "text": "absoluteContextURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 138, + "startColumn": 26, + "endLine": 138, + "endColumn": 72 + } + }, + "message": { + "text": "getAbsoluteContextURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 138, + "startColumn": 10, + "endLine": 138, + "endColumn": 18 + } + }, + "message": { + "text": "pathinfo [post update] : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 181, + "startColumn": 16, + "endLine": 181, + "endColumn": 24 + } + }, + "message": { + "text": "pathinfo : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 181, + "startColumn": 16, + "endLine": 181, + "endColumn": 68 + } + }, + "message": { + "text": "append(...) : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 181, + "startColumn": 16, + "endLine": 181, + "endColumn": 79 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java", + "index": 11 + }, + "region": { + "startLine": 166, + "startColumn": 23, + "endLine": 166, + "endColumn": 144 + } + }, + "message": { + "text": "getWeblogCollectionURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java", + "index": 11 + }, + "region": { + "startLine": 171, + "startColumn": 16, + "endLine": 171, + "endColumn": 19 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java", + "index": 12 + }, + "region": { + "startLine": 311, + "startColumn": 16, + "endLine": 311, + "endColumn": 49 + } + }, + "message": { + "text": "computeUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 188, + "startColumn": 41, + "endLine": 188, + "endColumn": 68 + } + }, + "message": { + "text": "computePrevMonthUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 188, + "startColumn": 26, + "endLine": 190, + "endColumn": 70 + } + }, + "message": { + "text": "... + ..." + } + } + } + ] + } + ] + }, + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 88, + "startColumn": 42, + "endLine": 88, + "endColumn": 65 + } + }, + "message": { + "text": "getRequestURL(...) : StringBuffer" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 88, + "startColumn": 42, + "endLine": 88, + "endColumn": 76 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 99, + "startColumn": 118, + "endLine": 99, + "endColumn": 135 + } + }, + "message": { + "text": "requestURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 125, + "startColumn": 19, + "endLine": 125, + "endColumn": 26 + } + }, + "message": { + "text": "fullUrl : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 125, + "startColumn": 19, + "endLine": 125, + "endColumn": 46 + } + }, + "message": { + "text": "substring(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 134, + "startColumn": 36, + "endLine": 134, + "endColumn": 39 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 137, + "startColumn": 49, + "endLine": 137, + "endColumn": 59 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 139, + "startColumn": 20, + "endLine": 139, + "endColumn": 23 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 139, + "startColumn": 20, + "endLine": 139, + "endColumn": 54 + } + }, + "message": { + "text": "substring(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 134, + "startColumn": 16, + "endLine": 134, + "endColumn": 40 + } + }, + "message": { + "text": "removeTrailingSlash(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 86, + "startColumn": 16, + "endLine": 88, + "endColumn": 77 + } + }, + "message": { + "text": "getAbsoluteUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 66, + "startColumn": 34, + "endLine": 66, + "endColumn": 62 + } + }, + "message": { + "text": "getAbsoluteUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 69, + "startColumn": 62, + "endLine": 69, + "endColumn": 69 + } + }, + "message": { + "text": "absPath : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 175, + "startColumn": 46, + "endLine": 175, + "endColumn": 56 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 176, + "startColumn": 30, + "endLine": 176, + "endColumn": 33 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 51, + "startColumn": 27, + "endLine": 51, + "endColumn": 45 + } + }, + "message": { + "text": "absoluteContextURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 195, + "startColumn": 16, + "endLine": 195, + "endColumn": 34 + } + }, + "message": { + "text": "absoluteContextURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 207, + "startColumn": 29, + "endLine": 207, + "endColumn": 75 + } + }, + "message": { + "text": "getAbsoluteContextURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 207, + "startColumn": 13, + "endLine": 207, + "endColumn": 21 + } + }, + "message": { + "text": "pathinfo [post update] : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 243, + "startColumn": 16, + "endLine": 243, + "endColumn": 24 + } + }, + "message": { + "text": "pathinfo : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 243, + "startColumn": 16, + "endLine": 243, + "endColumn": 68 + } + }, + "message": { + "text": "append(...) : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 243, + "startColumn": 16, + "endLine": 243, + "endColumn": 79 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java", + "index": 12 + }, + "region": { + "startLine": 276, + "startColumn": 23, + "endLine": 276, + "endColumn": 154 + } + }, + "message": { + "text": "getWeblogPageURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java", + "index": 12 + }, + "region": { + "startLine": 281, + "startColumn": 16, + "endLine": 281, + "endColumn": 19 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java", + "index": 12 + }, + "region": { + "startLine": 311, + "startColumn": 16, + "endLine": 311, + "endColumn": 49 + } + }, + "message": { + "text": "computeUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 188, + "startColumn": 41, + "endLine": 188, + "endColumn": 68 + } + }, + "message": { + "text": "computePrevMonthUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 188, + "startColumn": 26, + "endLine": 190, + "endColumn": 70 + } + }, + "message": { + "text": "... + ..." + } + } + } + ] + } + ] + }, + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 88, + "startColumn": 42, + "endLine": 88, + "endColumn": 65 + } + }, + "message": { + "text": "getRequestURL(...) : StringBuffer" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 88, + "startColumn": 42, + "endLine": 88, + "endColumn": 76 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 99, + "startColumn": 118, + "endLine": 99, + "endColumn": 135 + } + }, + "message": { + "text": "requestURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 127, + "startColumn": 19, + "endLine": 127, + "endColumn": 26 + } + }, + "message": { + "text": "fullUrl : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 127, + "startColumn": 19, + "endLine": 127, + "endColumn": 33 + } + }, + "message": { + "text": "trim(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 134, + "startColumn": 36, + "endLine": 134, + "endColumn": 39 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 137, + "startColumn": 49, + "endLine": 137, + "endColumn": 59 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 141, + "startColumn": 16, + "endLine": 141, + "endColumn": 19 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 134, + "startColumn": 16, + "endLine": 134, + "endColumn": 40 + } + }, + "message": { + "text": "removeTrailingSlash(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 86, + "startColumn": 16, + "endLine": 88, + "endColumn": 77 + } + }, + "message": { + "text": "getAbsoluteUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 66, + "startColumn": 34, + "endLine": 66, + "endColumn": 62 + } + }, + "message": { + "text": "getAbsoluteUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 69, + "startColumn": 62, + "endLine": 69, + "endColumn": 69 + } + }, + "message": { + "text": "absPath : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 175, + "startColumn": 46, + "endLine": 175, + "endColumn": 56 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 176, + "startColumn": 30, + "endLine": 176, + "endColumn": 33 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 51, + "startColumn": 27, + "endLine": 51, + "endColumn": 45 + } + }, + "message": { + "text": "absoluteContextURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 195, + "startColumn": 16, + "endLine": 195, + "endColumn": 34 + } + }, + "message": { + "text": "absoluteContextURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 63, + "startColumn": 28, + "endLine": 63, + "endColumn": 74 + } + }, + "message": { + "text": "getAbsoluteContextURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 63, + "startColumn": 17, + "endLine": 63, + "endColumn": 20 + } + }, + "message": { + "text": "url [post update] : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 75, + "startColumn": 16, + "endLine": 75, + "endColumn": 19 + } + }, + "message": { + "text": "url : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 75, + "startColumn": 16, + "endLine": 75, + "endColumn": 30 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 182, + "startColumn": 25, + "endLine": 182, + "endColumn": 63 + } + }, + "message": { + "text": "getWeblogURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 182, + "startColumn": 9, + "endLine": 182, + "endColumn": 17 + } + }, + "message": { + "text": "pathinfo [post update] : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 212, + "startColumn": 16, + "endLine": 212, + "endColumn": 24 + } + }, + "message": { + "text": "pathinfo : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 212, + "startColumn": 16, + "endLine": 212, + "endColumn": 68 + } + }, + "message": { + "text": "append(...) : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 212, + "startColumn": 16, + "endLine": 212, + "endColumn": 79 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java", + "index": 12 + }, + "region": { + "startLine": 273, + "startColumn": 23, + "endLine": 273, + "endColumn": 144 + } + }, + "message": { + "text": "getWeblogCollectionURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java", + "index": 12 + }, + "region": { + "startLine": 281, + "startColumn": 16, + "endLine": 281, + "endColumn": 19 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java", + "index": 12 + }, + "region": { + "startLine": 311, + "startColumn": 16, + "endLine": 311, + "endColumn": 49 + } + }, + "message": { + "text": "computeUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 188, + "startColumn": 41, + "endLine": 188, + "endColumn": 68 + } + }, + "message": { + "text": "computePrevMonthUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 188, + "startColumn": 26, + "endLine": 190, + "endColumn": 70 + } + }, + "message": { + "text": "... + ..." + } + } + } + ] + } + ] + }, + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 88, + "startColumn": 42, + "endLine": 88, + "endColumn": 65 + } + }, + "message": { + "text": "getRequestURL(...) : StringBuffer" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 88, + "startColumn": 42, + "endLine": 88, + "endColumn": 76 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 99, + "startColumn": 118, + "endLine": 99, + "endColumn": 135 + } + }, + "message": { + "text": "requestURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 116, + "startColumn": 40, + "endLine": 116, + "endColumn": 47 + } + }, + "message": { + "text": "fullUrl : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 137, + "startColumn": 49, + "endLine": 137, + "endColumn": 59 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 141, + "startColumn": 16, + "endLine": 141, + "endColumn": 19 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 116, + "startColumn": 20, + "endLine": 116, + "endColumn": 48 + } + }, + "message": { + "text": "removeTrailingSlash(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 86, + "startColumn": 16, + "endLine": 88, + "endColumn": 77 + } + }, + "message": { + "text": "getAbsoluteUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 66, + "startColumn": 34, + "endLine": 66, + "endColumn": 62 + } + }, + "message": { + "text": "getAbsoluteUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 69, + "startColumn": 62, + "endLine": 69, + "endColumn": 69 + } + }, + "message": { + "text": "absPath : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 175, + "startColumn": 46, + "endLine": 175, + "endColumn": 56 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 176, + "startColumn": 30, + "endLine": 176, + "endColumn": 33 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 51, + "startColumn": 27, + "endLine": 51, + "endColumn": 45 + } + }, + "message": { + "text": "absoluteContextURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 195, + "startColumn": 16, + "endLine": 195, + "endColumn": 34 + } + }, + "message": { + "text": "absoluteContextURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 58, + "startColumn": 24, + "endLine": 58, + "endColumn": 70 + } + }, + "message": { + "text": "getAbsoluteContextURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 58, + "startColumn": 13, + "endLine": 58, + "endColumn": 16 + } + }, + "message": { + "text": "url [post update] : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 74, + "startColumn": 16, + "endLine": 74, + "endColumn": 19 + } + }, + "message": { + "text": "url : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 74, + "startColumn": 16, + "endLine": 74, + "endColumn": 63 + } + }, + "message": { + "text": "append(...) : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 74, + "startColumn": 16, + "endLine": 74, + "endColumn": 74 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 237, + "startColumn": 25, + "endLine": 237, + "endColumn": 63 + } + }, + "message": { + "text": "getWeblogURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 237, + "startColumn": 9, + "endLine": 237, + "endColumn": 17 + } + }, + "message": { + "text": "pathinfo [post update] : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 260, + "startColumn": 16, + "endLine": 260, + "endColumn": 24 + } + }, + "message": { + "text": "pathinfo : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 260, + "startColumn": 16, + "endLine": 260, + "endColumn": 68 + } + }, + "message": { + "text": "append(...) : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 260, + "startColumn": 16, + "endLine": 260, + "endColumn": 79 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java", + "index": 11 + }, + "region": { + "startLine": 163, + "startColumn": 23, + "endLine": 163, + "endColumn": 154 + } + }, + "message": { + "text": "getWeblogPageURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java", + "index": 11 + }, + "region": { + "startLine": 171, + "startColumn": 16, + "endLine": 171, + "endColumn": 19 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java", + "index": 12 + }, + "region": { + "startLine": 311, + "startColumn": 16, + "endLine": 311, + "endColumn": 49 + } + }, + "message": { + "text": "computeUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 188, + "startColumn": 41, + "endLine": 188, + "endColumn": 68 + } + }, + "message": { + "text": "computePrevMonthUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 188, + "startColumn": 26, + "endLine": 190, + "endColumn": 70 + } + }, + "message": { + "text": "... + ..." + } + } + } + ] + } + ] + } + ], + "relatedLocations": [ + { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 0 + }, + "region": { + "startLine": 88, + "startColumn": 42, + "endLine": 88, + "endColumn": 65 + } + }, + "message": { + "text": "user-provided value" + } + } + ], + "properties": { + "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/14", + "github/alertNumber": 14 + } + }, + { + "ruleId": "java/xss", + "rule": { + "id": "java/xss", + "index": 71, + "toolComponent": { + "index": 0 + } + }, + "level": "error", + "message": { + "text": "Cross-site scripting vulnerability due to a [user-provided value](1)." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 194, + "startColumn": 26, + "endLine": 196, + "endColumn": 61 + } + } + } + ], + "correlationGuid": "6ef05652-94ad-44b8-8e9c-f77e493a8e2d", + "partialFingerprints": { + "primaryLocationLineHash": "df1362749a3e519c:1" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 88, + "startColumn": 42, + "endLine": 88, + "endColumn": 65 + } + }, + "message": { + "text": "getRequestURL(...) : StringBuffer" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 88, + "startColumn": 42, + "endLine": 88, + "endColumn": 76 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 99, + "startColumn": 118, + "endLine": 99, + "endColumn": 135 + } + }, + "message": { + "text": "requestURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 116, + "startColumn": 40, + "endLine": 116, + "endColumn": 47 + } + }, + "message": { + "text": "fullUrl : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 137, + "startColumn": 49, + "endLine": 137, + "endColumn": 59 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 141, + "startColumn": 16, + "endLine": 141, + "endColumn": 19 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 116, + "startColumn": 20, + "endLine": 116, + "endColumn": 48 + } + }, + "message": { + "text": "removeTrailingSlash(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 86, + "startColumn": 16, + "endLine": 88, + "endColumn": 77 + } + }, + "message": { + "text": "getAbsoluteUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 66, + "startColumn": 34, + "endLine": 66, + "endColumn": 62 + } + }, + "message": { + "text": "getAbsoluteUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 69, + "startColumn": 62, + "endLine": 69, + "endColumn": 69 + } + }, + "message": { + "text": "absPath : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 175, + "startColumn": 46, + "endLine": 175, + "endColumn": 56 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 176, + "startColumn": 30, + "endLine": 176, + "endColumn": 33 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 51, + "startColumn": 27, + "endLine": 51, + "endColumn": 45 + } + }, + "message": { + "text": "absoluteContextURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 195, + "startColumn": 16, + "endLine": 195, + "endColumn": 34 + } + }, + "message": { + "text": "absoluteContextURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 138, + "startColumn": 26, + "endLine": 138, + "endColumn": 72 + } + }, + "message": { + "text": "getAbsoluteContextURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 138, + "startColumn": 10, + "endLine": 138, + "endColumn": 18 + } + }, + "message": { + "text": "pathinfo [post update] : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 181, + "startColumn": 16, + "endLine": 181, + "endColumn": 24 + } + }, + "message": { + "text": "pathinfo : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 181, + "startColumn": 16, + "endLine": 181, + "endColumn": 68 + } + }, + "message": { + "text": "append(...) : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 181, + "startColumn": 16, + "endLine": 181, + "endColumn": 79 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java", + "index": 11 + }, + "region": { + "startLine": 166, + "startColumn": 23, + "endLine": 166, + "endColumn": 144 + } + }, + "message": { + "text": "getWeblogCollectionURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java", + "index": 11 + }, + "region": { + "startLine": 171, + "startColumn": 16, + "endLine": 171, + "endColumn": 19 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java", + "index": 12 + }, + "region": { + "startLine": 306, + "startColumn": 16, + "endLine": 306, + "endColumn": 49 + } + }, + "message": { + "text": "computeUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 194, + "startColumn": 42, + "endLine": 194, + "endColumn": 69 + } + }, + "message": { + "text": "computeNextMonthUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 194, + "startColumn": 26, + "endLine": 196, + "endColumn": 61 + } + }, + "message": { + "text": "... + ..." + } + } + } + ] + } + ] + }, + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 88, + "startColumn": 42, + "endLine": 88, + "endColumn": 65 + } + }, + "message": { + "text": "getRequestURL(...) : StringBuffer" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 88, + "startColumn": 42, + "endLine": 88, + "endColumn": 76 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 99, + "startColumn": 118, + "endLine": 99, + "endColumn": 135 + } + }, + "message": { + "text": "requestURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 125, + "startColumn": 19, + "endLine": 125, + "endColumn": 26 + } + }, + "message": { + "text": "fullUrl : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 125, + "startColumn": 19, + "endLine": 125, + "endColumn": 46 + } + }, + "message": { + "text": "substring(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 134, + "startColumn": 36, + "endLine": 134, + "endColumn": 39 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 137, + "startColumn": 49, + "endLine": 137, + "endColumn": 59 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 139, + "startColumn": 20, + "endLine": 139, + "endColumn": 23 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 139, + "startColumn": 20, + "endLine": 139, + "endColumn": 54 + } + }, + "message": { + "text": "substring(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 134, + "startColumn": 16, + "endLine": 134, + "endColumn": 40 + } + }, + "message": { + "text": "removeTrailingSlash(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 86, + "startColumn": 16, + "endLine": 88, + "endColumn": 77 + } + }, + "message": { + "text": "getAbsoluteUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 66, + "startColumn": 34, + "endLine": 66, + "endColumn": 62 + } + }, + "message": { + "text": "getAbsoluteUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 69, + "startColumn": 62, + "endLine": 69, + "endColumn": 69 + } + }, + "message": { + "text": "absPath : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 175, + "startColumn": 46, + "endLine": 175, + "endColumn": 56 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 176, + "startColumn": 30, + "endLine": 176, + "endColumn": 33 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 51, + "startColumn": 27, + "endLine": 51, + "endColumn": 45 + } + }, + "message": { + "text": "absoluteContextURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 195, + "startColumn": 16, + "endLine": 195, + "endColumn": 34 + } + }, + "message": { + "text": "absoluteContextURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 207, + "startColumn": 29, + "endLine": 207, + "endColumn": 75 + } + }, + "message": { + "text": "getAbsoluteContextURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 207, + "startColumn": 13, + "endLine": 207, + "endColumn": 21 + } + }, + "message": { + "text": "pathinfo [post update] : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 243, + "startColumn": 16, + "endLine": 243, + "endColumn": 24 + } + }, + "message": { + "text": "pathinfo : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 243, + "startColumn": 16, + "endLine": 243, + "endColumn": 68 + } + }, + "message": { + "text": "append(...) : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 243, + "startColumn": 16, + "endLine": 243, + "endColumn": 79 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java", + "index": 12 + }, + "region": { + "startLine": 276, + "startColumn": 23, + "endLine": 276, + "endColumn": 154 + } + }, + "message": { + "text": "getWeblogPageURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java", + "index": 12 + }, + "region": { + "startLine": 281, + "startColumn": 16, + "endLine": 281, + "endColumn": 19 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java", + "index": 12 + }, + "region": { + "startLine": 306, + "startColumn": 16, + "endLine": 306, + "endColumn": 49 + } + }, + "message": { + "text": "computeUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 194, + "startColumn": 42, + "endLine": 194, + "endColumn": 69 + } + }, + "message": { + "text": "computeNextMonthUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 194, + "startColumn": 26, + "endLine": 196, + "endColumn": 61 + } + }, + "message": { + "text": "... + ..." + } + } + } + ] + } + ] + }, + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 88, + "startColumn": 42, + "endLine": 88, + "endColumn": 65 + } + }, + "message": { + "text": "getRequestURL(...) : StringBuffer" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 88, + "startColumn": 42, + "endLine": 88, + "endColumn": 76 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 99, + "startColumn": 118, + "endLine": 99, + "endColumn": 135 + } + }, + "message": { + "text": "requestURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 127, + "startColumn": 19, + "endLine": 127, + "endColumn": 26 + } + }, + "message": { + "text": "fullUrl : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 127, + "startColumn": 19, + "endLine": 127, + "endColumn": 33 + } + }, + "message": { + "text": "trim(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 134, + "startColumn": 36, + "endLine": 134, + "endColumn": 39 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 137, + "startColumn": 49, + "endLine": 137, + "endColumn": 59 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 141, + "startColumn": 16, + "endLine": 141, + "endColumn": 19 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 134, + "startColumn": 16, + "endLine": 134, + "endColumn": 40 + } + }, + "message": { + "text": "removeTrailingSlash(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 86, + "startColumn": 16, + "endLine": 88, + "endColumn": 77 + } + }, + "message": { + "text": "getAbsoluteUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 66, + "startColumn": 34, + "endLine": 66, + "endColumn": 62 + } + }, + "message": { + "text": "getAbsoluteUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 69, + "startColumn": 62, + "endLine": 69, + "endColumn": 69 + } + }, + "message": { + "text": "absPath : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 175, + "startColumn": 46, + "endLine": 175, + "endColumn": 56 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 176, + "startColumn": 30, + "endLine": 176, + "endColumn": 33 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 51, + "startColumn": 27, + "endLine": 51, + "endColumn": 45 + } + }, + "message": { + "text": "absoluteContextURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 195, + "startColumn": 16, + "endLine": 195, + "endColumn": 34 + } + }, + "message": { + "text": "absoluteContextURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 63, + "startColumn": 28, + "endLine": 63, + "endColumn": 74 + } + }, + "message": { + "text": "getAbsoluteContextURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 63, + "startColumn": 17, + "endLine": 63, + "endColumn": 20 + } + }, + "message": { + "text": "url [post update] : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 75, + "startColumn": 16, + "endLine": 75, + "endColumn": 19 + } + }, + "message": { + "text": "url : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 75, + "startColumn": 16, + "endLine": 75, + "endColumn": 30 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 182, + "startColumn": 25, + "endLine": 182, + "endColumn": 63 + } + }, + "message": { + "text": "getWeblogURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 182, + "startColumn": 9, + "endLine": 182, + "endColumn": 17 + } + }, + "message": { + "text": "pathinfo [post update] : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 212, + "startColumn": 16, + "endLine": 212, + "endColumn": 24 + } + }, + "message": { + "text": "pathinfo : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 212, + "startColumn": 16, + "endLine": 212, + "endColumn": 68 + } + }, + "message": { + "text": "append(...) : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 212, + "startColumn": 16, + "endLine": 212, + "endColumn": 79 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java", + "index": 12 + }, + "region": { + "startLine": 273, + "startColumn": 23, + "endLine": 273, + "endColumn": 144 + } + }, + "message": { + "text": "getWeblogCollectionURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java", + "index": 12 + }, + "region": { + "startLine": 281, + "startColumn": 16, + "endLine": 281, + "endColumn": 19 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java", + "index": 12 + }, + "region": { + "startLine": 306, + "startColumn": 16, + "endLine": 306, + "endColumn": 49 + } + }, + "message": { + "text": "computeUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 194, + "startColumn": 42, + "endLine": 194, + "endColumn": 69 + } + }, + "message": { + "text": "computeNextMonthUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 194, + "startColumn": 26, + "endLine": 196, + "endColumn": 61 + } + }, + "message": { + "text": "... + ..." + } + } + } + ] + } + ] + }, + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 88, + "startColumn": 42, + "endLine": 88, + "endColumn": 65 + } + }, + "message": { + "text": "getRequestURL(...) : StringBuffer" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 88, + "startColumn": 42, + "endLine": 88, + "endColumn": 76 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 99, + "startColumn": 118, + "endLine": 99, + "endColumn": 135 + } + }, + "message": { + "text": "requestURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 116, + "startColumn": 40, + "endLine": 116, + "endColumn": 47 + } + }, + "message": { + "text": "fullUrl : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 137, + "startColumn": 49, + "endLine": 137, + "endColumn": 59 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 141, + "startColumn": 16, + "endLine": 141, + "endColumn": 19 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 116, + "startColumn": 20, + "endLine": 116, + "endColumn": 48 + } + }, + "message": { + "text": "removeTrailingSlash(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 86, + "startColumn": 16, + "endLine": 88, + "endColumn": 77 + } + }, + "message": { + "text": "getAbsoluteUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 66, + "startColumn": 34, + "endLine": 66, + "endColumn": 62 + } + }, + "message": { + "text": "getAbsoluteUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 69, + "startColumn": 62, + "endLine": 69, + "endColumn": 69 + } + }, + "message": { + "text": "absPath : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 175, + "startColumn": 46, + "endLine": 175, + "endColumn": 56 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 176, + "startColumn": 30, + "endLine": 176, + "endColumn": 33 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 51, + "startColumn": 27, + "endLine": 51, + "endColumn": 45 + } + }, + "message": { + "text": "absoluteContextURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 195, + "startColumn": 16, + "endLine": 195, + "endColumn": 34 + } + }, + "message": { + "text": "absoluteContextURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 58, + "startColumn": 24, + "endLine": 58, + "endColumn": 70 + } + }, + "message": { + "text": "getAbsoluteContextURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 58, + "startColumn": 13, + "endLine": 58, + "endColumn": 16 + } + }, + "message": { + "text": "url [post update] : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 74, + "startColumn": 16, + "endLine": 74, + "endColumn": 19 + } + }, + "message": { + "text": "url : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 74, + "startColumn": 16, + "endLine": 74, + "endColumn": 63 + } + }, + "message": { + "text": "append(...) : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 74, + "startColumn": 16, + "endLine": 74, + "endColumn": 74 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 237, + "startColumn": 25, + "endLine": 237, + "endColumn": 63 + } + }, + "message": { + "text": "getWeblogURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 237, + "startColumn": 9, + "endLine": 237, + "endColumn": 17 + } + }, + "message": { + "text": "pathinfo [post update] : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 260, + "startColumn": 16, + "endLine": 260, + "endColumn": 24 + } + }, + "message": { + "text": "pathinfo : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 260, + "startColumn": 16, + "endLine": 260, + "endColumn": 68 + } + }, + "message": { + "text": "append(...) : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 260, + "startColumn": 16, + "endLine": 260, + "endColumn": 79 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java", + "index": 11 + }, + "region": { + "startLine": 163, + "startColumn": 23, + "endLine": 163, + "endColumn": 154 + } + }, + "message": { + "text": "getWeblogPageURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java", + "index": 11 + }, + "region": { + "startLine": 171, + "startColumn": 16, + "endLine": 171, + "endColumn": 19 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java", + "index": 12 + }, + "region": { + "startLine": 306, + "startColumn": 16, + "endLine": 306, + "endColumn": 49 + } + }, + "message": { + "text": "computeUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 194, + "startColumn": 42, + "endLine": 194, + "endColumn": 69 + } + }, + "message": { + "text": "computeNextMonthUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 194, + "startColumn": 26, + "endLine": 196, + "endColumn": 61 + } + }, + "message": { + "text": "... + ..." + } + } + } + ] + } + ] + } + ], + "relatedLocations": [ + { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 0 + }, + "region": { + "startLine": 88, + "startColumn": 42, + "endLine": 88, + "endColumn": 65 + } + }, + "message": { + "text": "user-provided value" + } + } + ], + "properties": { + "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/15", + "github/alertNumber": 15 + } + }, + { + "ruleId": "java/xss", + "rule": { + "id": "java/xss", + "index": 71, + "toolComponent": { + "index": 0 + } + }, + "level": "error", + "message": { + "text": "Cross-site scripting vulnerability due to a [user-provided value](1)." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 247, + "startColumn": 22, + "endLine": 250, + "endColumn": 28 + } + } + } + ], + "correlationGuid": "e116e0f4-cd03-4270-ab36-3b83f00ee00e", + "partialFingerprints": { + "primaryLocationLineHash": "871c3cf166627615:1" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 88, + "startColumn": 42, + "endLine": 88, + "endColumn": 65 + } + }, + "message": { + "text": "getRequestURL(...) : StringBuffer" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 88, + "startColumn": 42, + "endLine": 88, + "endColumn": 76 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 99, + "startColumn": 118, + "endLine": 99, + "endColumn": 135 + } + }, + "message": { + "text": "requestURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 116, + "startColumn": 40, + "endLine": 116, + "endColumn": 47 + } + }, + "message": { + "text": "fullUrl : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 137, + "startColumn": 49, + "endLine": 137, + "endColumn": 59 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 141, + "startColumn": 16, + "endLine": 141, + "endColumn": 19 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 116, + "startColumn": 20, + "endLine": 116, + "endColumn": 48 + } + }, + "message": { + "text": "removeTrailingSlash(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 86, + "startColumn": 16, + "endLine": 88, + "endColumn": 77 + } + }, + "message": { + "text": "getAbsoluteUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 66, + "startColumn": 34, + "endLine": 66, + "endColumn": 62 + } + }, + "message": { + "text": "getAbsoluteUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 69, + "startColumn": 62, + "endLine": 69, + "endColumn": 69 + } + }, + "message": { + "text": "absPath : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 175, + "startColumn": 46, + "endLine": 175, + "endColumn": 56 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 176, + "startColumn": 30, + "endLine": 176, + "endColumn": 33 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 51, + "startColumn": 27, + "endLine": 51, + "endColumn": 45 + } + }, + "message": { + "text": "absoluteContextURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 195, + "startColumn": 16, + "endLine": 195, + "endColumn": 34 + } + }, + "message": { + "text": "absoluteContextURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 138, + "startColumn": 26, + "endLine": 138, + "endColumn": 72 + } + }, + "message": { + "text": "getAbsoluteContextURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 138, + "startColumn": 10, + "endLine": 138, + "endColumn": 18 + } + }, + "message": { + "text": "pathinfo [post update] : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 181, + "startColumn": 16, + "endLine": 181, + "endColumn": 24 + } + }, + "message": { + "text": "pathinfo : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 181, + "startColumn": 16, + "endLine": 181, + "endColumn": 68 + } + }, + "message": { + "text": "append(...) : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 181, + "startColumn": 16, + "endLine": 181, + "endColumn": 79 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java", + "index": 12 + }, + "region": { + "startLine": 319, + "startColumn": 19, + "endLine": 319, + "endColumn": 134 + } + }, + "message": { + "text": "getWeblogCollectionURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java", + "index": 12 + }, + "region": { + "startLine": 324, + "startColumn": 13, + "endLine": 324, + "endColumn": 16 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 247, + "startColumn": 35, + "endLine": 247, + "endColumn": 63 + } + }, + "message": { + "text": "computeTodayMonthUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 247, + "startColumn": 22, + "endLine": 250, + "endColumn": 28 + } + }, + "message": { + "text": "... + ..." + } + } + } + ] + } + ] + }, + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 88, + "startColumn": 42, + "endLine": 88, + "endColumn": 65 + } + }, + "message": { + "text": "getRequestURL(...) : StringBuffer" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 88, + "startColumn": 42, + "endLine": 88, + "endColumn": 76 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 99, + "startColumn": 118, + "endLine": 99, + "endColumn": 135 + } + }, + "message": { + "text": "requestURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 125, + "startColumn": 19, + "endLine": 125, + "endColumn": 26 + } + }, + "message": { + "text": "fullUrl : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 125, + "startColumn": 19, + "endLine": 125, + "endColumn": 46 + } + }, + "message": { + "text": "substring(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 134, + "startColumn": 36, + "endLine": 134, + "endColumn": 39 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 137, + "startColumn": 49, + "endLine": 137, + "endColumn": 59 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 139, + "startColumn": 20, + "endLine": 139, + "endColumn": 23 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 139, + "startColumn": 20, + "endLine": 139, + "endColumn": 54 + } + }, + "message": { + "text": "substring(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 134, + "startColumn": 16, + "endLine": 134, + "endColumn": 40 + } + }, + "message": { + "text": "removeTrailingSlash(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 86, + "startColumn": 16, + "endLine": 88, + "endColumn": 77 + } + }, + "message": { + "text": "getAbsoluteUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 66, + "startColumn": 34, + "endLine": 66, + "endColumn": 62 + } + }, + "message": { + "text": "getAbsoluteUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 69, + "startColumn": 62, + "endLine": 69, + "endColumn": 69 + } + }, + "message": { + "text": "absPath : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 175, + "startColumn": 46, + "endLine": 175, + "endColumn": 56 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 176, + "startColumn": 30, + "endLine": 176, + "endColumn": 33 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 51, + "startColumn": 27, + "endLine": 51, + "endColumn": 45 + } + }, + "message": { + "text": "absoluteContextURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 195, + "startColumn": 16, + "endLine": 195, + "endColumn": 34 + } + }, + "message": { + "text": "absoluteContextURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 207, + "startColumn": 29, + "endLine": 207, + "endColumn": 75 + } + }, + "message": { + "text": "getAbsoluteContextURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 207, + "startColumn": 13, + "endLine": 207, + "endColumn": 21 + } + }, + "message": { + "text": "pathinfo [post update] : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 243, + "startColumn": 16, + "endLine": 243, + "endColumn": 24 + } + }, + "message": { + "text": "pathinfo : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 243, + "startColumn": 16, + "endLine": 243, + "endColumn": 68 + } + }, + "message": { + "text": "append(...) : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 243, + "startColumn": 16, + "endLine": 243, + "endColumn": 79 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java", + "index": 12 + }, + "region": { + "startLine": 322, + "startColumn": 19, + "endLine": 322, + "endColumn": 144 + } + }, + "message": { + "text": "getWeblogPageURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java", + "index": 12 + }, + "region": { + "startLine": 324, + "startColumn": 13, + "endLine": 324, + "endColumn": 16 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 247, + "startColumn": 35, + "endLine": 247, + "endColumn": 63 + } + }, + "message": { + "text": "computeTodayMonthUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 247, + "startColumn": 22, + "endLine": 250, + "endColumn": 28 + } + }, + "message": { + "text": "... + ..." + } + } + } + ] + } + ] + }, + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 88, + "startColumn": 42, + "endLine": 88, + "endColumn": 65 + } + }, + "message": { + "text": "getRequestURL(...) : StringBuffer" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 88, + "startColumn": 42, + "endLine": 88, + "endColumn": 76 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 99, + "startColumn": 118, + "endLine": 99, + "endColumn": 135 + } + }, + "message": { + "text": "requestURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 127, + "startColumn": 19, + "endLine": 127, + "endColumn": 26 + } + }, + "message": { + "text": "fullUrl : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 127, + "startColumn": 19, + "endLine": 127, + "endColumn": 33 + } + }, + "message": { + "text": "trim(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 134, + "startColumn": 36, + "endLine": 134, + "endColumn": 39 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 137, + "startColumn": 49, + "endLine": 137, + "endColumn": 59 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 141, + "startColumn": 16, + "endLine": 141, + "endColumn": 19 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 134, + "startColumn": 16, + "endLine": 134, + "endColumn": 40 + } + }, + "message": { + "text": "removeTrailingSlash(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 86, + "startColumn": 16, + "endLine": 88, + "endColumn": 77 + } + }, + "message": { + "text": "getAbsoluteUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 66, + "startColumn": 34, + "endLine": 66, + "endColumn": 62 + } + }, + "message": { + "text": "getAbsoluteUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 69, + "startColumn": 62, + "endLine": 69, + "endColumn": 69 + } + }, + "message": { + "text": "absPath : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 175, + "startColumn": 46, + "endLine": 175, + "endColumn": 56 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 176, + "startColumn": 30, + "endLine": 176, + "endColumn": 33 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 51, + "startColumn": 27, + "endLine": 51, + "endColumn": 45 + } + }, + "message": { + "text": "absoluteContextURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 195, + "startColumn": 16, + "endLine": 195, + "endColumn": 34 + } + }, + "message": { + "text": "absoluteContextURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 63, + "startColumn": 28, + "endLine": 63, + "endColumn": 74 + } + }, + "message": { + "text": "getAbsoluteContextURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 63, + "startColumn": 17, + "endLine": 63, + "endColumn": 20 + } + }, + "message": { + "text": "url [post update] : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 75, + "startColumn": 16, + "endLine": 75, + "endColumn": 19 + } + }, + "message": { + "text": "url : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 75, + "startColumn": 16, + "endLine": 75, + "endColumn": 30 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 182, + "startColumn": 25, + "endLine": 182, + "endColumn": 63 + } + }, + "message": { + "text": "getWeblogURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 182, + "startColumn": 9, + "endLine": 182, + "endColumn": 17 + } + }, + "message": { + "text": "pathinfo [post update] : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 212, + "startColumn": 16, + "endLine": 212, + "endColumn": 24 + } + }, + "message": { + "text": "pathinfo : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 212, + "startColumn": 16, + "endLine": 212, + "endColumn": 68 + } + }, + "message": { + "text": "append(...) : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 212, + "startColumn": 16, + "endLine": 212, + "endColumn": 79 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java", + "index": 12 + }, + "region": { + "startLine": 319, + "startColumn": 19, + "endLine": 319, + "endColumn": 134 + } + }, + "message": { + "text": "getWeblogCollectionURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java", + "index": 12 + }, + "region": { + "startLine": 324, + "startColumn": 13, + "endLine": 324, + "endColumn": 16 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 247, + "startColumn": 35, + "endLine": 247, + "endColumn": 63 + } + }, + "message": { + "text": "computeTodayMonthUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 247, + "startColumn": 22, + "endLine": 250, + "endColumn": 28 + } + }, + "message": { + "text": "... + ..." + } + } + } + ] + } + ] + }, + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 88, + "startColumn": 42, + "endLine": 88, + "endColumn": 65 + } + }, + "message": { + "text": "getRequestURL(...) : StringBuffer" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 88, + "startColumn": 42, + "endLine": 88, + "endColumn": 76 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 99, + "startColumn": 118, + "endLine": 99, + "endColumn": 135 + } + }, + "message": { + "text": "requestURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 116, + "startColumn": 40, + "endLine": 116, + "endColumn": 47 + } + }, + "message": { + "text": "fullUrl : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 137, + "startColumn": 49, + "endLine": 137, + "endColumn": 59 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 141, + "startColumn": 16, + "endLine": 141, + "endColumn": 19 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 116, + "startColumn": 20, + "endLine": 116, + "endColumn": 48 + } + }, + "message": { + "text": "removeTrailingSlash(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 86, + "startColumn": 16, + "endLine": 88, + "endColumn": 77 + } + }, + "message": { + "text": "getAbsoluteUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 66, + "startColumn": 34, + "endLine": 66, + "endColumn": 62 + } + }, + "message": { + "text": "getAbsoluteUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 69, + "startColumn": 62, + "endLine": 69, + "endColumn": 69 + } + }, + "message": { + "text": "absPath : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 175, + "startColumn": 46, + "endLine": 175, + "endColumn": 56 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 176, + "startColumn": 30, + "endLine": 176, + "endColumn": 33 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 51, + "startColumn": 27, + "endLine": 51, + "endColumn": 45 + } + }, + "message": { + "text": "absoluteContextURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 195, + "startColumn": 16, + "endLine": 195, + "endColumn": 34 + } + }, + "message": { + "text": "absoluteContextURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 58, + "startColumn": 24, + "endLine": 58, + "endColumn": 70 + } + }, + "message": { + "text": "getAbsoluteContextURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 58, + "startColumn": 13, + "endLine": 58, + "endColumn": 16 + } + }, + "message": { + "text": "url [post update] : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 74, + "startColumn": 16, + "endLine": 74, + "endColumn": 19 + } + }, + "message": { + "text": "url : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 74, + "startColumn": 16, + "endLine": 74, + "endColumn": 63 + } + }, + "message": { + "text": "append(...) : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 74, + "startColumn": 16, + "endLine": 74, + "endColumn": 74 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 237, + "startColumn": 25, + "endLine": 237, + "endColumn": 63 + } + }, + "message": { + "text": "getWeblogURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 237, + "startColumn": 9, + "endLine": 237, + "endColumn": 17 + } + }, + "message": { + "text": "pathinfo [post update] : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 260, + "startColumn": 16, + "endLine": 260, + "endColumn": 24 + } + }, + "message": { + "text": "pathinfo : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 260, + "startColumn": 16, + "endLine": 260, + "endColumn": 68 + } + }, + "message": { + "text": "append(...) : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 260, + "startColumn": 16, + "endLine": 260, + "endColumn": 79 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java", + "index": 12 + }, + "region": { + "startLine": 322, + "startColumn": 19, + "endLine": 322, + "endColumn": 144 + } + }, + "message": { + "text": "getWeblogPageURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java", + "index": 12 + }, + "region": { + "startLine": 324, + "startColumn": 13, + "endLine": 324, + "endColumn": 16 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 247, + "startColumn": 35, + "endLine": 247, + "endColumn": 63 + } + }, + "message": { + "text": "computeTodayMonthUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 247, + "startColumn": 22, + "endLine": 250, + "endColumn": 28 + } + }, + "message": { + "text": "... + ..." + } + } + } + ] + } + ] + } + ], + "relatedLocations": [ + { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 0 + }, + "region": { + "startLine": 88, + "startColumn": 42, + "endLine": 88, + "endColumn": 65 + } + }, + "message": { + "text": "user-provided value" + } + } + ], + "properties": { + "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/16", + "github/alertNumber": 16 + } + }, + { + "ruleId": "java/xss", + "rule": { + "id": "java/xss", + "index": 71, + "toolComponent": { + "index": 0 + } + }, + "level": "error", + "message": { + "text": "Cross-site scripting vulnerability due to a [user-provided value](1)." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 276, + "startColumn": 23, + "endLine": 276, + "endColumn": 30 + } + } + } + ], + "correlationGuid": "db4c7ae4-0eda-47d9-aa17-02047f46b732", + "partialFingerprints": { + "primaryLocationLineHash": "f797cd6a2e95a76a:1" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 88, + "startColumn": 42, + "endLine": 88, + "endColumn": 65 + } + }, + "message": { + "text": "getRequestURL(...) : StringBuffer" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 88, + "startColumn": 42, + "endLine": 88, + "endColumn": 76 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 99, + "startColumn": 118, + "endLine": 99, + "endColumn": 135 + } + }, + "message": { + "text": "requestURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 116, + "startColumn": 40, + "endLine": 116, + "endColumn": 47 + } + }, + "message": { + "text": "fullUrl : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 137, + "startColumn": 49, + "endLine": 137, + "endColumn": 59 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 141, + "startColumn": 16, + "endLine": 141, + "endColumn": 19 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 116, + "startColumn": 20, + "endLine": 116, + "endColumn": 48 + } + }, + "message": { + "text": "removeTrailingSlash(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 86, + "startColumn": 16, + "endLine": 88, + "endColumn": 77 + } + }, + "message": { + "text": "getAbsoluteUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 66, + "startColumn": 34, + "endLine": 66, + "endColumn": 62 + } + }, + "message": { + "text": "getAbsoluteUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 69, + "startColumn": 62, + "endLine": 69, + "endColumn": 69 + } + }, + "message": { + "text": "absPath : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 175, + "startColumn": 46, + "endLine": 175, + "endColumn": 56 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 176, + "startColumn": 30, + "endLine": 176, + "endColumn": 33 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 51, + "startColumn": 27, + "endLine": 51, + "endColumn": 45 + } + }, + "message": { + "text": "absoluteContextURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 195, + "startColumn": 16, + "endLine": 195, + "endColumn": 34 + } + }, + "message": { + "text": "absoluteContextURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 95, + "startColumn": 24, + "endLine": 95, + "endColumn": 70 + } + }, + "message": { + "text": "getAbsoluteContextURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 95, + "startColumn": 13, + "endLine": 95, + "endColumn": 16 + } + }, + "message": { + "text": "url [post update] : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 114, + "startColumn": 16, + "endLine": 114, + "endColumn": 19 + } + }, + "message": { + "text": "url : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 114, + "startColumn": 16, + "endLine": 114, + "endColumn": 63 + } + }, + "message": { + "text": "append(...) : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 114, + "startColumn": 16, + "endLine": 114, + "endColumn": 74 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java", + "index": 14 + }, + "region": { + "startLine": 747, + "startColumn": 16, + "endLine": 747, + "endColumn": 121 + } + }, + "message": { + "text": "getWeblogEntryURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java", + "index": 11 + }, + "region": { + "startLine": 106, + "startColumn": 31, + "endLine": 106, + "endColumn": 75 + } + }, + "message": { + "text": "getPermalink(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java", + "index": 11 + }, + "region": { + "startLine": 106, + "startColumn": 21, + "endLine": 106, + "endColumn": 23 + } + }, + "message": { + "text": "sb [post update] : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java", + "index": 11 + }, + "region": { + "startLine": 127, + "startColumn": 23, + "endLine": 127, + "endColumn": 25 + } + }, + "message": { + "text": "sb : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java", + "index": 11 + }, + "region": { + "startLine": 127, + "startColumn": 23, + "endLine": 127, + "endColumn": 36 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java", + "index": 11 + }, + "region": { + "startLine": 131, + "startColumn": 16, + "endLine": 131, + "endColumn": 23 + } + }, + "message": { + "text": "content : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 216, + "startColumn": 38, + "endLine": 216, + "endColumn": 64 + } + }, + "message": { + "text": "getContent(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 230, + "startColumn": 63, + "endLine": 230, + "endColumn": 70 + } + }, + "message": { + "text": "content : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 272, + "startColumn": 80, + "endLine": 272, + "endColumn": 94 + } + }, + "message": { + "text": "content : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 276, + "startColumn": 23, + "endLine": 276, + "endColumn": 30 + } + }, + "message": { + "text": "content" + } + } + } + ] + } + ] + }, + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 88, + "startColumn": 42, + "endLine": 88, + "endColumn": 65 + } + }, + "message": { + "text": "getRequestURL(...) : StringBuffer" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 88, + "startColumn": 42, + "endLine": 88, + "endColumn": 76 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 99, + "startColumn": 118, + "endLine": 99, + "endColumn": 135 + } + }, + "message": { + "text": "requestURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 125, + "startColumn": 19, + "endLine": 125, + "endColumn": 26 + } + }, + "message": { + "text": "fullUrl : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 125, + "startColumn": 19, + "endLine": 125, + "endColumn": 46 + } + }, + "message": { + "text": "substring(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 134, + "startColumn": 36, + "endLine": 134, + "endColumn": 39 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 137, + "startColumn": 49, + "endLine": 137, + "endColumn": 59 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 139, + "startColumn": 20, + "endLine": 139, + "endColumn": 23 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 139, + "startColumn": 20, + "endLine": 139, + "endColumn": 54 + } + }, + "message": { + "text": "substring(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 134, + "startColumn": 16, + "endLine": 134, + "endColumn": 40 + } + }, + "message": { + "text": "removeTrailingSlash(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 86, + "startColumn": 16, + "endLine": 88, + "endColumn": 77 + } + }, + "message": { + "text": "getAbsoluteUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 66, + "startColumn": 34, + "endLine": 66, + "endColumn": 62 + } + }, + "message": { + "text": "getAbsoluteUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 69, + "startColumn": 62, + "endLine": 69, + "endColumn": 69 + } + }, + "message": { + "text": "absPath : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 175, + "startColumn": 46, + "endLine": 175, + "endColumn": 56 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 176, + "startColumn": 30, + "endLine": 176, + "endColumn": 33 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 51, + "startColumn": 27, + "endLine": 51, + "endColumn": 45 + } + }, + "message": { + "text": "absoluteContextURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 195, + "startColumn": 16, + "endLine": 195, + "endColumn": 34 + } + }, + "message": { + "text": "absoluteContextURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 138, + "startColumn": 26, + "endLine": 138, + "endColumn": 72 + } + }, + "message": { + "text": "getAbsoluteContextURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 138, + "startColumn": 10, + "endLine": 138, + "endColumn": 18 + } + }, + "message": { + "text": "pathinfo [post update] : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 181, + "startColumn": 16, + "endLine": 181, + "endColumn": 24 + } + }, + "message": { + "text": "pathinfo : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 181, + "startColumn": 16, + "endLine": 181, + "endColumn": 68 + } + }, + "message": { + "text": "append(...) : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 181, + "startColumn": 16, + "endLine": 181, + "endColumn": 79 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java", + "index": 11 + }, + "region": { + "startLine": 94, + "startColumn": 33, + "endLine": 94, + "endColumn": 154 + } + }, + "message": { + "text": "getWeblogCollectionURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java", + "index": 11 + }, + "region": { + "startLine": 98, + "startColumn": 28, + "endLine": 98, + "endColumn": 34 + } + }, + "message": { + "text": "dayUrl : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java", + "index": 11 + }, + "region": { + "startLine": 98, + "startColumn": 17, + "endLine": 98, + "endColumn": 19 + } + }, + "message": { + "text": "sb [post update] : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java", + "index": 11 + }, + "region": { + "startLine": 127, + "startColumn": 23, + "endLine": 127, + "endColumn": 25 + } + }, + "message": { + "text": "sb : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java", + "index": 11 + }, + "region": { + "startLine": 127, + "startColumn": 23, + "endLine": 127, + "endColumn": 36 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java", + "index": 11 + }, + "region": { + "startLine": 131, + "startColumn": 16, + "endLine": 131, + "endColumn": 23 + } + }, + "message": { + "text": "content : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 216, + "startColumn": 38, + "endLine": 216, + "endColumn": 64 + } + }, + "message": { + "text": "getContent(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 230, + "startColumn": 63, + "endLine": 230, + "endColumn": 70 + } + }, + "message": { + "text": "content : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 272, + "startColumn": 80, + "endLine": 272, + "endColumn": 94 + } + }, + "message": { + "text": "content : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 276, + "startColumn": 23, + "endLine": 276, + "endColumn": 30 + } + }, + "message": { + "text": "content" + } + } + } + ] + } + ] + }, + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 88, + "startColumn": 42, + "endLine": 88, + "endColumn": 65 + } + }, + "message": { + "text": "getRequestURL(...) : StringBuffer" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 88, + "startColumn": 42, + "endLine": 88, + "endColumn": 76 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 99, + "startColumn": 118, + "endLine": 99, + "endColumn": 135 + } + }, + "message": { + "text": "requestURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 127, + "startColumn": 19, + "endLine": 127, + "endColumn": 26 + } + }, + "message": { + "text": "fullUrl : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 127, + "startColumn": 19, + "endLine": 127, + "endColumn": 33 + } + }, + "message": { + "text": "trim(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 134, + "startColumn": 36, + "endLine": 134, + "endColumn": 39 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 137, + "startColumn": 49, + "endLine": 137, + "endColumn": 59 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 141, + "startColumn": 16, + "endLine": 141, + "endColumn": 19 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 134, + "startColumn": 16, + "endLine": 134, + "endColumn": 40 + } + }, + "message": { + "text": "removeTrailingSlash(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 86, + "startColumn": 16, + "endLine": 88, + "endColumn": 77 + } + }, + "message": { + "text": "getAbsoluteUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 66, + "startColumn": 34, + "endLine": 66, + "endColumn": 62 + } + }, + "message": { + "text": "getAbsoluteUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 69, + "startColumn": 62, + "endLine": 69, + "endColumn": 69 + } + }, + "message": { + "text": "absPath : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 175, + "startColumn": 46, + "endLine": 175, + "endColumn": 56 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 176, + "startColumn": 30, + "endLine": 176, + "endColumn": 33 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 51, + "startColumn": 27, + "endLine": 51, + "endColumn": 45 + } + }, + "message": { + "text": "absoluteContextURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 195, + "startColumn": 16, + "endLine": 195, + "endColumn": 34 + } + }, + "message": { + "text": "absoluteContextURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 63, + "startColumn": 28, + "endLine": 63, + "endColumn": 74 + } + }, + "message": { + "text": "getAbsoluteContextURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 63, + "startColumn": 17, + "endLine": 63, + "endColumn": 20 + } + }, + "message": { + "text": "url [post update] : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 75, + "startColumn": 16, + "endLine": 75, + "endColumn": 19 + } + }, + "message": { + "text": "url : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 75, + "startColumn": 16, + "endLine": 75, + "endColumn": 30 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 94, + "startColumn": 20, + "endLine": 94, + "endColumn": 58 + } + }, + "message": { + "text": "getWeblogURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 94, + "startColumn": 9, + "endLine": 94, + "endColumn": 12 + } + }, + "message": { + "text": "url [post update] : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 97, + "startColumn": 12, + "endLine": 97, + "endColumn": 15 + } + }, + "message": { + "text": "url : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 97, + "startColumn": 12, + "endLine": 97, + "endColumn": 26 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java", + "index": 14 + }, + "region": { + "startLine": 747, + "startColumn": 16, + "endLine": 747, + "endColumn": 121 + } + }, + "message": { + "text": "getWeblogEntryURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java", + "index": 11 + }, + "region": { + "startLine": 106, + "startColumn": 31, + "endLine": 106, + "endColumn": 75 + } + }, + "message": { + "text": "getPermalink(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java", + "index": 11 + }, + "region": { + "startLine": 106, + "startColumn": 21, + "endLine": 106, + "endColumn": 23 + } + }, + "message": { + "text": "sb [post update] : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java", + "index": 11 + }, + "region": { + "startLine": 127, + "startColumn": 23, + "endLine": 127, + "endColumn": 25 + } + }, + "message": { + "text": "sb : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java", + "index": 11 + }, + "region": { + "startLine": 127, + "startColumn": 23, + "endLine": 127, + "endColumn": 36 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java", + "index": 11 + }, + "region": { + "startLine": 131, + "startColumn": 16, + "endLine": 131, + "endColumn": 23 + } + }, + "message": { + "text": "content : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 216, + "startColumn": 38, + "endLine": 216, + "endColumn": 64 + } + }, + "message": { + "text": "getContent(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 230, + "startColumn": 63, + "endLine": 230, + "endColumn": 70 + } + }, + "message": { + "text": "content : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 272, + "startColumn": 80, + "endLine": 272, + "endColumn": 94 + } + }, + "message": { + "text": "content : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 276, + "startColumn": 23, + "endLine": 276, + "endColumn": 30 + } + }, + "message": { + "text": "content" + } + } + } + ] + } + ] + }, + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 88, + "startColumn": 42, + "endLine": 88, + "endColumn": 65 + } + }, + "message": { + "text": "getRequestURL(...) : StringBuffer" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 88, + "startColumn": 42, + "endLine": 88, + "endColumn": 76 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 99, + "startColumn": 118, + "endLine": 99, + "endColumn": 135 + } + }, + "message": { + "text": "requestURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 116, + "startColumn": 40, + "endLine": 116, + "endColumn": 47 + } + }, + "message": { + "text": "fullUrl : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 137, + "startColumn": 49, + "endLine": 137, + "endColumn": 59 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 141, + "startColumn": 16, + "endLine": 141, + "endColumn": 19 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 116, + "startColumn": 20, + "endLine": 116, + "endColumn": 48 + } + }, + "message": { + "text": "removeTrailingSlash(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 86, + "startColumn": 16, + "endLine": 88, + "endColumn": 77 + } + }, + "message": { + "text": "getAbsoluteUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 66, + "startColumn": 34, + "endLine": 66, + "endColumn": 62 + } + }, + "message": { + "text": "getAbsoluteUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 69, + "startColumn": 62, + "endLine": 69, + "endColumn": 69 + } + }, + "message": { + "text": "absPath : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 175, + "startColumn": 46, + "endLine": 175, + "endColumn": 56 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 176, + "startColumn": 30, + "endLine": 176, + "endColumn": 33 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 51, + "startColumn": 27, + "endLine": 51, + "endColumn": 45 + } + }, + "message": { + "text": "absoluteContextURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 195, + "startColumn": 16, + "endLine": 195, + "endColumn": 34 + } + }, + "message": { + "text": "absoluteContextURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 58, + "startColumn": 24, + "endLine": 58, + "endColumn": 70 + } + }, + "message": { + "text": "getAbsoluteContextURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 58, + "startColumn": 13, + "endLine": 58, + "endColumn": 16 + } + }, + "message": { + "text": "url [post update] : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 74, + "startColumn": 16, + "endLine": 74, + "endColumn": 19 + } + }, + "message": { + "text": "url : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 74, + "startColumn": 16, + "endLine": 74, + "endColumn": 63 + } + }, + "message": { + "text": "append(...) : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 74, + "startColumn": 16, + "endLine": 74, + "endColumn": 74 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 182, + "startColumn": 25, + "endLine": 182, + "endColumn": 63 + } + }, + "message": { + "text": "getWeblogURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 182, + "startColumn": 9, + "endLine": 182, + "endColumn": 17 + } + }, + "message": { + "text": "pathinfo [post update] : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 212, + "startColumn": 16, + "endLine": 212, + "endColumn": 24 + } + }, + "message": { + "text": "pathinfo : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 212, + "startColumn": 16, + "endLine": 212, + "endColumn": 68 + } + }, + "message": { + "text": "append(...) : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 212, + "startColumn": 16, + "endLine": 212, + "endColumn": 79 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java", + "index": 11 + }, + "region": { + "startLine": 94, + "startColumn": 33, + "endLine": 94, + "endColumn": 154 + } + }, + "message": { + "text": "getWeblogCollectionURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java", + "index": 11 + }, + "region": { + "startLine": 98, + "startColumn": 28, + "endLine": 98, + "endColumn": 34 + } + }, + "message": { + "text": "dayUrl : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java", + "index": 11 + }, + "region": { + "startLine": 98, + "startColumn": 17, + "endLine": 98, + "endColumn": 19 + } + }, + "message": { + "text": "sb [post update] : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java", + "index": 11 + }, + "region": { + "startLine": 127, + "startColumn": 23, + "endLine": 127, + "endColumn": 25 + } + }, + "message": { + "text": "sb : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java", + "index": 11 + }, + "region": { + "startLine": 127, + "startColumn": 23, + "endLine": 127, + "endColumn": 36 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java", + "index": 11 + }, + "region": { + "startLine": 131, + "startColumn": 16, + "endLine": 131, + "endColumn": 23 + } + }, + "message": { + "text": "content : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 216, + "startColumn": 38, + "endLine": 216, + "endColumn": 64 + } + }, + "message": { + "text": "getContent(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 230, + "startColumn": 63, + "endLine": 230, + "endColumn": 70 + } + }, + "message": { + "text": "content : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 272, + "startColumn": 80, + "endLine": 272, + "endColumn": 94 + } + }, + "message": { + "text": "content : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 276, + "startColumn": 23, + "endLine": 276, + "endColumn": 30 + } + }, + "message": { + "text": "content" + } + } + } + ] + } + ] + } + ], + "relatedLocations": [ + { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 0 + }, + "region": { + "startLine": 88, + "startColumn": 42, + "endLine": 88, + "endColumn": 65 + } + }, + "message": { + "text": "user-provided value" + } + } + ], + "properties": { + "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/17", + "github/alertNumber": 17 + } + }, + { + "ruleId": "java/xss", + "rule": { + "id": "java/xss", + "index": 71, + "toolComponent": { + "index": 0 + } + }, + "level": "error", + "message": { + "text": "Cross-site scripting vulnerability due to a [user-provided value](1)." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 283, + "startColumn": 22, + "endLine": 283, + "endColumn": 44 + } + } + } + ], + "correlationGuid": "2f804f4f-770f-4999-b2a6-e36f3f91f614", + "partialFingerprints": { + "primaryLocationLineHash": "d06c87887323661e:1" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 88, + "startColumn": 42, + "endLine": 88, + "endColumn": 65 + } + }, + "message": { + "text": "getRequestURL(...) : StringBuffer" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 88, + "startColumn": 42, + "endLine": 88, + "endColumn": 76 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 99, + "startColumn": 118, + "endLine": 99, + "endColumn": 135 + } + }, + "message": { + "text": "requestURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 116, + "startColumn": 40, + "endLine": 116, + "endColumn": 47 + } + }, + "message": { + "text": "fullUrl : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 137, + "startColumn": 49, + "endLine": 137, + "endColumn": 59 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 141, + "startColumn": 16, + "endLine": 141, + "endColumn": 19 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 116, + "startColumn": 20, + "endLine": 116, + "endColumn": 48 + } + }, + "message": { + "text": "removeTrailingSlash(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 86, + "startColumn": 16, + "endLine": 88, + "endColumn": 77 + } + }, + "message": { + "text": "getAbsoluteUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 66, + "startColumn": 34, + "endLine": 66, + "endColumn": 62 + } + }, + "message": { + "text": "getAbsoluteUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 69, + "startColumn": 62, + "endLine": 69, + "endColumn": 69 + } + }, + "message": { + "text": "absPath : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 175, + "startColumn": 46, + "endLine": 175, + "endColumn": 56 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 176, + "startColumn": 30, + "endLine": 176, + "endColumn": 33 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 51, + "startColumn": 27, + "endLine": 51, + "endColumn": 45 + } + }, + "message": { + "text": "absoluteContextURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 195, + "startColumn": 16, + "endLine": 195, + "endColumn": 34 + } + }, + "message": { + "text": "absoluteContextURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 138, + "startColumn": 26, + "endLine": 138, + "endColumn": 72 + } + }, + "message": { + "text": "getAbsoluteContextURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 138, + "startColumn": 10, + "endLine": 138, + "endColumn": 18 + } + }, + "message": { + "text": "pathinfo [post update] : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 181, + "startColumn": 16, + "endLine": 181, + "endColumn": 24 + } + }, + "message": { + "text": "pathinfo : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 181, + "startColumn": 16, + "endLine": 181, + "endColumn": 68 + } + }, + "message": { + "text": "append(...) : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 181, + "startColumn": 16, + "endLine": 181, + "endColumn": 79 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java", + "index": 11 + }, + "region": { + "startLine": 166, + "startColumn": 23, + "endLine": 166, + "endColumn": 144 + } + }, + "message": { + "text": "getWeblogCollectionURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java", + "index": 11 + }, + "region": { + "startLine": 171, + "startColumn": 16, + "endLine": 171, + "endColumn": 19 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 215, + "startColumn": 34, + "endLine": 215, + "endColumn": 72 + } + }, + "message": { + "text": "computeUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 230, + "startColumn": 58, + "endLine": 230, + "endColumn": 61 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 272, + "startColumn": 68, + "endLine": 272, + "endColumn": 78 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 283, + "startColumn": 22, + "endLine": 283, + "endColumn": 44 + } + }, + "message": { + "text": "... + ..." + } + } + } + ] + } + ] + }, + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 88, + "startColumn": 42, + "endLine": 88, + "endColumn": 65 + } + }, + "message": { + "text": "getRequestURL(...) : StringBuffer" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 88, + "startColumn": 42, + "endLine": 88, + "endColumn": 76 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 99, + "startColumn": 118, + "endLine": 99, + "endColumn": 135 + } + }, + "message": { + "text": "requestURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 125, + "startColumn": 19, + "endLine": 125, + "endColumn": 26 + } + }, + "message": { + "text": "fullUrl : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 125, + "startColumn": 19, + "endLine": 125, + "endColumn": 46 + } + }, + "message": { + "text": "substring(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 134, + "startColumn": 36, + "endLine": 134, + "endColumn": 39 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 137, + "startColumn": 49, + "endLine": 137, + "endColumn": 59 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 139, + "startColumn": 20, + "endLine": 139, + "endColumn": 23 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 139, + "startColumn": 20, + "endLine": 139, + "endColumn": 54 + } + }, + "message": { + "text": "substring(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 134, + "startColumn": 16, + "endLine": 134, + "endColumn": 40 + } + }, + "message": { + "text": "removeTrailingSlash(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 86, + "startColumn": 16, + "endLine": 88, + "endColumn": 77 + } + }, + "message": { + "text": "getAbsoluteUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 66, + "startColumn": 34, + "endLine": 66, + "endColumn": 62 + } + }, + "message": { + "text": "getAbsoluteUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 69, + "startColumn": 62, + "endLine": 69, + "endColumn": 69 + } + }, + "message": { + "text": "absPath : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 175, + "startColumn": 46, + "endLine": 175, + "endColumn": 56 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 176, + "startColumn": 30, + "endLine": 176, + "endColumn": 33 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 51, + "startColumn": 27, + "endLine": 51, + "endColumn": 45 + } + }, + "message": { + "text": "absoluteContextURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 195, + "startColumn": 16, + "endLine": 195, + "endColumn": 34 + } + }, + "message": { + "text": "absoluteContextURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 207, + "startColumn": 29, + "endLine": 207, + "endColumn": 75 + } + }, + "message": { + "text": "getAbsoluteContextURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 207, + "startColumn": 13, + "endLine": 207, + "endColumn": 21 + } + }, + "message": { + "text": "pathinfo [post update] : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 243, + "startColumn": 16, + "endLine": 243, + "endColumn": 24 + } + }, + "message": { + "text": "pathinfo : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 243, + "startColumn": 16, + "endLine": 243, + "endColumn": 68 + } + }, + "message": { + "text": "append(...) : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 243, + "startColumn": 16, + "endLine": 243, + "endColumn": 79 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java", + "index": 12 + }, + "region": { + "startLine": 276, + "startColumn": 23, + "endLine": 276, + "endColumn": 154 + } + }, + "message": { + "text": "getWeblogPageURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java", + "index": 12 + }, + "region": { + "startLine": 281, + "startColumn": 16, + "endLine": 281, + "endColumn": 19 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 215, + "startColumn": 34, + "endLine": 215, + "endColumn": 72 + } + }, + "message": { + "text": "computeUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 230, + "startColumn": 58, + "endLine": 230, + "endColumn": 61 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 272, + "startColumn": 68, + "endLine": 272, + "endColumn": 78 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 283, + "startColumn": 22, + "endLine": 283, + "endColumn": 44 + } + }, + "message": { + "text": "... + ..." + } + } + } + ] + } + ] + }, + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 88, + "startColumn": 42, + "endLine": 88, + "endColumn": 65 + } + }, + "message": { + "text": "getRequestURL(...) : StringBuffer" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 88, + "startColumn": 42, + "endLine": 88, + "endColumn": 76 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 99, + "startColumn": 118, + "endLine": 99, + "endColumn": 135 + } + }, + "message": { + "text": "requestURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 127, + "startColumn": 19, + "endLine": 127, + "endColumn": 26 + } + }, + "message": { + "text": "fullUrl : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 127, + "startColumn": 19, + "endLine": 127, + "endColumn": 33 + } + }, + "message": { + "text": "trim(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 134, + "startColumn": 36, + "endLine": 134, + "endColumn": 39 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 137, + "startColumn": 49, + "endLine": 137, + "endColumn": 59 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 141, + "startColumn": 16, + "endLine": 141, + "endColumn": 19 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 134, + "startColumn": 16, + "endLine": 134, + "endColumn": 40 + } + }, + "message": { + "text": "removeTrailingSlash(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 86, + "startColumn": 16, + "endLine": 88, + "endColumn": 77 + } + }, + "message": { + "text": "getAbsoluteUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 66, + "startColumn": 34, + "endLine": 66, + "endColumn": 62 + } + }, + "message": { + "text": "getAbsoluteUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 69, + "startColumn": 62, + "endLine": 69, + "endColumn": 69 + } + }, + "message": { + "text": "absPath : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 175, + "startColumn": 46, + "endLine": 175, + "endColumn": 56 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 176, + "startColumn": 30, + "endLine": 176, + "endColumn": 33 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 51, + "startColumn": 27, + "endLine": 51, + "endColumn": 45 + } + }, + "message": { + "text": "absoluteContextURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 195, + "startColumn": 16, + "endLine": 195, + "endColumn": 34 + } + }, + "message": { + "text": "absoluteContextURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 63, + "startColumn": 28, + "endLine": 63, + "endColumn": 74 + } + }, + "message": { + "text": "getAbsoluteContextURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 63, + "startColumn": 17, + "endLine": 63, + "endColumn": 20 + } + }, + "message": { + "text": "url [post update] : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 75, + "startColumn": 16, + "endLine": 75, + "endColumn": 19 + } + }, + "message": { + "text": "url : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 75, + "startColumn": 16, + "endLine": 75, + "endColumn": 30 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 182, + "startColumn": 25, + "endLine": 182, + "endColumn": 63 + } + }, + "message": { + "text": "getWeblogURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 182, + "startColumn": 9, + "endLine": 182, + "endColumn": 17 + } + }, + "message": { + "text": "pathinfo [post update] : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 212, + "startColumn": 16, + "endLine": 212, + "endColumn": 24 + } + }, + "message": { + "text": "pathinfo : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 212, + "startColumn": 16, + "endLine": 212, + "endColumn": 68 + } + }, + "message": { + "text": "append(...) : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 212, + "startColumn": 16, + "endLine": 212, + "endColumn": 79 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java", + "index": 12 + }, + "region": { + "startLine": 273, + "startColumn": 23, + "endLine": 273, + "endColumn": 144 + } + }, + "message": { + "text": "getWeblogCollectionURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java", + "index": 12 + }, + "region": { + "startLine": 281, + "startColumn": 16, + "endLine": 281, + "endColumn": 19 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 215, + "startColumn": 34, + "endLine": 215, + "endColumn": 72 + } + }, + "message": { + "text": "computeUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 230, + "startColumn": 58, + "endLine": 230, + "endColumn": 61 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 272, + "startColumn": 68, + "endLine": 272, + "endColumn": 78 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 283, + "startColumn": 22, + "endLine": 283, + "endColumn": 44 + } + }, + "message": { + "text": "... + ..." + } + } + } + ] + } + ] + }, + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 88, + "startColumn": 42, + "endLine": 88, + "endColumn": 65 + } + }, + "message": { + "text": "getRequestURL(...) : StringBuffer" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 88, + "startColumn": 42, + "endLine": 88, + "endColumn": 76 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 99, + "startColumn": 118, + "endLine": 99, + "endColumn": 135 + } + }, + "message": { + "text": "requestURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 116, + "startColumn": 40, + "endLine": 116, + "endColumn": 47 + } + }, + "message": { + "text": "fullUrl : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 137, + "startColumn": 49, + "endLine": 137, + "endColumn": 59 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 141, + "startColumn": 16, + "endLine": 141, + "endColumn": 19 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 116, + "startColumn": 20, + "endLine": 116, + "endColumn": 48 + } + }, + "message": { + "text": "removeTrailingSlash(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 86, + "startColumn": 16, + "endLine": 88, + "endColumn": 77 + } + }, + "message": { + "text": "getAbsoluteUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 66, + "startColumn": 34, + "endLine": 66, + "endColumn": 62 + } + }, + "message": { + "text": "getAbsoluteUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 69, + "startColumn": 62, + "endLine": 69, + "endColumn": 69 + } + }, + "message": { + "text": "absPath : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 175, + "startColumn": 46, + "endLine": 175, + "endColumn": 56 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 176, + "startColumn": 30, + "endLine": 176, + "endColumn": 33 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 51, + "startColumn": 27, + "endLine": 51, + "endColumn": 45 + } + }, + "message": { + "text": "absoluteContextURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 195, + "startColumn": 16, + "endLine": 195, + "endColumn": 34 + } + }, + "message": { + "text": "absoluteContextURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 58, + "startColumn": 24, + "endLine": 58, + "endColumn": 70 + } + }, + "message": { + "text": "getAbsoluteContextURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 58, + "startColumn": 13, + "endLine": 58, + "endColumn": 16 + } + }, + "message": { + "text": "url [post update] : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 74, + "startColumn": 16, + "endLine": 74, + "endColumn": 19 + } + }, + "message": { + "text": "url : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 74, + "startColumn": 16, + "endLine": 74, + "endColumn": 63 + } + }, + "message": { + "text": "append(...) : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 74, + "startColumn": 16, + "endLine": 74, + "endColumn": 74 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 237, + "startColumn": 25, + "endLine": 237, + "endColumn": 63 + } + }, + "message": { + "text": "getWeblogURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 237, + "startColumn": 9, + "endLine": 237, + "endColumn": 17 + } + }, + "message": { + "text": "pathinfo [post update] : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 260, + "startColumn": 16, + "endLine": 260, + "endColumn": 24 + } + }, + "message": { + "text": "pathinfo : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 260, + "startColumn": 16, + "endLine": 260, + "endColumn": 68 + } + }, + "message": { + "text": "append(...) : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 260, + "startColumn": 16, + "endLine": 260, + "endColumn": 79 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java", + "index": 11 + }, + "region": { + "startLine": 163, + "startColumn": 23, + "endLine": 163, + "endColumn": 154 + } + }, + "message": { + "text": "getWeblogPageURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java", + "index": 11 + }, + "region": { + "startLine": 171, + "startColumn": 16, + "endLine": 171, + "endColumn": 19 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 215, + "startColumn": 34, + "endLine": 215, + "endColumn": 72 + } + }, + "message": { + "text": "computeUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 230, + "startColumn": 58, + "endLine": 230, + "endColumn": 61 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 272, + "startColumn": 68, + "endLine": 272, + "endColumn": 78 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 283, + "startColumn": 22, + "endLine": 283, + "endColumn": 44 + } + }, + "message": { + "text": "... + ..." + } + } + } + ] + } + ] + } + ], + "relatedLocations": [ + { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 0 + }, + "region": { + "startLine": 88, + "startColumn": 42, + "endLine": 88, + "endColumn": 65 + } + }, + "message": { + "text": "user-provided value" + } + } + ], + "properties": { + "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/18", + "github/alertNumber": 18 + } + }, + { + "ruleId": "java/xss", + "rule": { + "id": "java/xss", + "index": 71, + "toolComponent": { + "index": 0 + } + }, + "level": "error", + "message": { + "text": "Cross-site scripting vulnerability due to a [user-provided value](1)." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 302, + "startColumn": 23, + "endLine": 302, + "endColumn": 30 + } + } + } + ], + "correlationGuid": "ed3376eb-e089-4f43-9bf8-adbd4676887b", + "partialFingerprints": { + "primaryLocationLineHash": "f797b1b59b078d8f:1" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 88, + "startColumn": 42, + "endLine": 88, + "endColumn": 65 + } + }, + "message": { + "text": "getRequestURL(...) : StringBuffer" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 88, + "startColumn": 42, + "endLine": 88, + "endColumn": 76 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 99, + "startColumn": 118, + "endLine": 99, + "endColumn": 135 + } + }, + "message": { + "text": "requestURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 116, + "startColumn": 40, + "endLine": 116, + "endColumn": 47 + } + }, + "message": { + "text": "fullUrl : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 137, + "startColumn": 49, + "endLine": 137, + "endColumn": 59 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 141, + "startColumn": 16, + "endLine": 141, + "endColumn": 19 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 116, + "startColumn": 20, + "endLine": 116, + "endColumn": 48 + } + }, + "message": { + "text": "removeTrailingSlash(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 86, + "startColumn": 16, + "endLine": 88, + "endColumn": 77 + } + }, + "message": { + "text": "getAbsoluteUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 66, + "startColumn": 34, + "endLine": 66, + "endColumn": 62 + } + }, + "message": { + "text": "getAbsoluteUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 69, + "startColumn": 62, + "endLine": 69, + "endColumn": 69 + } + }, + "message": { + "text": "absPath : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 175, + "startColumn": 46, + "endLine": 175, + "endColumn": 56 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 176, + "startColumn": 30, + "endLine": 176, + "endColumn": 33 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 51, + "startColumn": 27, + "endLine": 51, + "endColumn": 45 + } + }, + "message": { + "text": "absoluteContextURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 195, + "startColumn": 16, + "endLine": 195, + "endColumn": 34 + } + }, + "message": { + "text": "absoluteContextURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 95, + "startColumn": 24, + "endLine": 95, + "endColumn": 70 + } + }, + "message": { + "text": "getAbsoluteContextURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 95, + "startColumn": 13, + "endLine": 95, + "endColumn": 16 + } + }, + "message": { + "text": "url [post update] : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 114, + "startColumn": 16, + "endLine": 114, + "endColumn": 19 + } + }, + "message": { + "text": "url : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 114, + "startColumn": 16, + "endLine": 114, + "endColumn": 63 + } + }, + "message": { + "text": "append(...) : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 114, + "startColumn": 16, + "endLine": 114, + "endColumn": 74 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java", + "index": 14 + }, + "region": { + "startLine": 747, + "startColumn": 16, + "endLine": 747, + "endColumn": 121 + } + }, + "message": { + "text": "getWeblogEntryURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java", + "index": 11 + }, + "region": { + "startLine": 106, + "startColumn": 31, + "endLine": 106, + "endColumn": 75 + } + }, + "message": { + "text": "getPermalink(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java", + "index": 11 + }, + "region": { + "startLine": 106, + "startColumn": 21, + "endLine": 106, + "endColumn": 23 + } + }, + "message": { + "text": "sb [post update] : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java", + "index": 11 + }, + "region": { + "startLine": 127, + "startColumn": 23, + "endLine": 127, + "endColumn": 25 + } + }, + "message": { + "text": "sb : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java", + "index": 11 + }, + "region": { + "startLine": 127, + "startColumn": 23, + "endLine": 127, + "endColumn": 36 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java", + "index": 11 + }, + "region": { + "startLine": 131, + "startColumn": 16, + "endLine": 131, + "endColumn": 23 + } + }, + "message": { + "text": "content : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 216, + "startColumn": 38, + "endLine": 216, + "endColumn": 64 + } + }, + "message": { + "text": "getContent(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 228, + "startColumn": 54, + "endLine": 228, + "endColumn": 61 + } + }, + "message": { + "text": "content : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 298, + "startColumn": 71, + "endLine": 298, + "endColumn": 85 + } + }, + "message": { + "text": "content : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 302, + "startColumn": 23, + "endLine": 302, + "endColumn": 30 + } + }, + "message": { + "text": "content" + } + } + } + ] + } + ] + }, + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 88, + "startColumn": 42, + "endLine": 88, + "endColumn": 65 + } + }, + "message": { + "text": "getRequestURL(...) : StringBuffer" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 88, + "startColumn": 42, + "endLine": 88, + "endColumn": 76 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 99, + "startColumn": 118, + "endLine": 99, + "endColumn": 135 + } + }, + "message": { + "text": "requestURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 125, + "startColumn": 19, + "endLine": 125, + "endColumn": 26 + } + }, + "message": { + "text": "fullUrl : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 125, + "startColumn": 19, + "endLine": 125, + "endColumn": 46 + } + }, + "message": { + "text": "substring(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 134, + "startColumn": 36, + "endLine": 134, + "endColumn": 39 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 137, + "startColumn": 49, + "endLine": 137, + "endColumn": 59 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 139, + "startColumn": 20, + "endLine": 139, + "endColumn": 23 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 139, + "startColumn": 20, + "endLine": 139, + "endColumn": 54 + } + }, + "message": { + "text": "substring(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 134, + "startColumn": 16, + "endLine": 134, + "endColumn": 40 + } + }, + "message": { + "text": "removeTrailingSlash(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 86, + "startColumn": 16, + "endLine": 88, + "endColumn": 77 + } + }, + "message": { + "text": "getAbsoluteUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 66, + "startColumn": 34, + "endLine": 66, + "endColumn": 62 + } + }, + "message": { + "text": "getAbsoluteUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 69, + "startColumn": 62, + "endLine": 69, + "endColumn": 69 + } + }, + "message": { + "text": "absPath : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 175, + "startColumn": 46, + "endLine": 175, + "endColumn": 56 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 176, + "startColumn": 30, + "endLine": 176, + "endColumn": 33 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 51, + "startColumn": 27, + "endLine": 51, + "endColumn": 45 + } + }, + "message": { + "text": "absoluteContextURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 195, + "startColumn": 16, + "endLine": 195, + "endColumn": 34 + } + }, + "message": { + "text": "absoluteContextURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 138, + "startColumn": 26, + "endLine": 138, + "endColumn": 72 + } + }, + "message": { + "text": "getAbsoluteContextURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 138, + "startColumn": 10, + "endLine": 138, + "endColumn": 18 + } + }, + "message": { + "text": "pathinfo [post update] : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 181, + "startColumn": 16, + "endLine": 181, + "endColumn": 24 + } + }, + "message": { + "text": "pathinfo : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 181, + "startColumn": 16, + "endLine": 181, + "endColumn": 68 + } + }, + "message": { + "text": "append(...) : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 181, + "startColumn": 16, + "endLine": 181, + "endColumn": 79 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java", + "index": 11 + }, + "region": { + "startLine": 94, + "startColumn": 33, + "endLine": 94, + "endColumn": 154 + } + }, + "message": { + "text": "getWeblogCollectionURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java", + "index": 11 + }, + "region": { + "startLine": 98, + "startColumn": 28, + "endLine": 98, + "endColumn": 34 + } + }, + "message": { + "text": "dayUrl : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java", + "index": 11 + }, + "region": { + "startLine": 98, + "startColumn": 17, + "endLine": 98, + "endColumn": 19 + } + }, + "message": { + "text": "sb [post update] : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java", + "index": 11 + }, + "region": { + "startLine": 127, + "startColumn": 23, + "endLine": 127, + "endColumn": 25 + } + }, + "message": { + "text": "sb : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java", + "index": 11 + }, + "region": { + "startLine": 127, + "startColumn": 23, + "endLine": 127, + "endColumn": 36 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java", + "index": 11 + }, + "region": { + "startLine": 131, + "startColumn": 16, + "endLine": 131, + "endColumn": 23 + } + }, + "message": { + "text": "content : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 216, + "startColumn": 38, + "endLine": 216, + "endColumn": 64 + } + }, + "message": { + "text": "getContent(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 228, + "startColumn": 54, + "endLine": 228, + "endColumn": 61 + } + }, + "message": { + "text": "content : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 298, + "startColumn": 71, + "endLine": 298, + "endColumn": 85 + } + }, + "message": { + "text": "content : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 302, + "startColumn": 23, + "endLine": 302, + "endColumn": 30 + } + }, + "message": { + "text": "content" + } + } + } + ] + } + ] + }, + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 88, + "startColumn": 42, + "endLine": 88, + "endColumn": 65 + } + }, + "message": { + "text": "getRequestURL(...) : StringBuffer" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 88, + "startColumn": 42, + "endLine": 88, + "endColumn": 76 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 99, + "startColumn": 118, + "endLine": 99, + "endColumn": 135 + } + }, + "message": { + "text": "requestURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 127, + "startColumn": 19, + "endLine": 127, + "endColumn": 26 + } + }, + "message": { + "text": "fullUrl : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 127, + "startColumn": 19, + "endLine": 127, + "endColumn": 33 + } + }, + "message": { + "text": "trim(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 134, + "startColumn": 36, + "endLine": 134, + "endColumn": 39 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 137, + "startColumn": 49, + "endLine": 137, + "endColumn": 59 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 141, + "startColumn": 16, + "endLine": 141, + "endColumn": 19 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 134, + "startColumn": 16, + "endLine": 134, + "endColumn": 40 + } + }, + "message": { + "text": "removeTrailingSlash(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 86, + "startColumn": 16, + "endLine": 88, + "endColumn": 77 + } + }, + "message": { + "text": "getAbsoluteUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 66, + "startColumn": 34, + "endLine": 66, + "endColumn": 62 + } + }, + "message": { + "text": "getAbsoluteUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 69, + "startColumn": 62, + "endLine": 69, + "endColumn": 69 + } + }, + "message": { + "text": "absPath : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 175, + "startColumn": 46, + "endLine": 175, + "endColumn": 56 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 176, + "startColumn": 30, + "endLine": 176, + "endColumn": 33 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 51, + "startColumn": 27, + "endLine": 51, + "endColumn": 45 + } + }, + "message": { + "text": "absoluteContextURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 195, + "startColumn": 16, + "endLine": 195, + "endColumn": 34 + } + }, + "message": { + "text": "absoluteContextURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 63, + "startColumn": 28, + "endLine": 63, + "endColumn": 74 + } + }, + "message": { + "text": "getAbsoluteContextURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 63, + "startColumn": 17, + "endLine": 63, + "endColumn": 20 + } + }, + "message": { + "text": "url [post update] : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 75, + "startColumn": 16, + "endLine": 75, + "endColumn": 19 + } + }, + "message": { + "text": "url : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 75, + "startColumn": 16, + "endLine": 75, + "endColumn": 30 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 94, + "startColumn": 20, + "endLine": 94, + "endColumn": 58 + } + }, + "message": { + "text": "getWeblogURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 94, + "startColumn": 9, + "endLine": 94, + "endColumn": 12 + } + }, + "message": { + "text": "url [post update] : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 97, + "startColumn": 12, + "endLine": 97, + "endColumn": 15 + } + }, + "message": { + "text": "url : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 97, + "startColumn": 12, + "endLine": 97, + "endColumn": 26 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java", + "index": 14 + }, + "region": { + "startLine": 747, + "startColumn": 16, + "endLine": 747, + "endColumn": 121 + } + }, + "message": { + "text": "getWeblogEntryURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java", + "index": 11 + }, + "region": { + "startLine": 106, + "startColumn": 31, + "endLine": 106, + "endColumn": 75 + } + }, + "message": { + "text": "getPermalink(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java", + "index": 11 + }, + "region": { + "startLine": 106, + "startColumn": 21, + "endLine": 106, + "endColumn": 23 + } + }, + "message": { + "text": "sb [post update] : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java", + "index": 11 + }, + "region": { + "startLine": 127, + "startColumn": 23, + "endLine": 127, + "endColumn": 25 + } + }, + "message": { + "text": "sb : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java", + "index": 11 + }, + "region": { + "startLine": 127, + "startColumn": 23, + "endLine": 127, + "endColumn": 36 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java", + "index": 11 + }, + "region": { + "startLine": 131, + "startColumn": 16, + "endLine": 131, + "endColumn": 23 + } + }, + "message": { + "text": "content : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 216, + "startColumn": 38, + "endLine": 216, + "endColumn": 64 + } + }, + "message": { + "text": "getContent(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 228, + "startColumn": 54, + "endLine": 228, + "endColumn": 61 + } + }, + "message": { + "text": "content : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 298, + "startColumn": 71, + "endLine": 298, + "endColumn": 85 + } + }, + "message": { + "text": "content : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 302, + "startColumn": 23, + "endLine": 302, + "endColumn": 30 + } + }, + "message": { + "text": "content" + } + } + } + ] + } + ] + }, + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 88, + "startColumn": 42, + "endLine": 88, + "endColumn": 65 + } + }, + "message": { + "text": "getRequestURL(...) : StringBuffer" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 88, + "startColumn": 42, + "endLine": 88, + "endColumn": 76 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 99, + "startColumn": 118, + "endLine": 99, + "endColumn": 135 + } + }, + "message": { + "text": "requestURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 116, + "startColumn": 40, + "endLine": 116, + "endColumn": 47 + } + }, + "message": { + "text": "fullUrl : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 137, + "startColumn": 49, + "endLine": 137, + "endColumn": 59 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 141, + "startColumn": 16, + "endLine": 141, + "endColumn": 19 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 116, + "startColumn": 20, + "endLine": 116, + "endColumn": 48 + } + }, + "message": { + "text": "removeTrailingSlash(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 86, + "startColumn": 16, + "endLine": 88, + "endColumn": 77 + } + }, + "message": { + "text": "getAbsoluteUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 66, + "startColumn": 34, + "endLine": 66, + "endColumn": 62 + } + }, + "message": { + "text": "getAbsoluteUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 69, + "startColumn": 62, + "endLine": 69, + "endColumn": 69 + } + }, + "message": { + "text": "absPath : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 175, + "startColumn": 46, + "endLine": 175, + "endColumn": 56 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 176, + "startColumn": 30, + "endLine": 176, + "endColumn": 33 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 51, + "startColumn": 27, + "endLine": 51, + "endColumn": 45 + } + }, + "message": { + "text": "absoluteContextURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 195, + "startColumn": 16, + "endLine": 195, + "endColumn": 34 + } + }, + "message": { + "text": "absoluteContextURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 58, + "startColumn": 24, + "endLine": 58, + "endColumn": 70 + } + }, + "message": { + "text": "getAbsoluteContextURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 58, + "startColumn": 13, + "endLine": 58, + "endColumn": 16 + } + }, + "message": { + "text": "url [post update] : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 74, + "startColumn": 16, + "endLine": 74, + "endColumn": 19 + } + }, + "message": { + "text": "url : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 74, + "startColumn": 16, + "endLine": 74, + "endColumn": 63 + } + }, + "message": { + "text": "append(...) : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 74, + "startColumn": 16, + "endLine": 74, + "endColumn": 74 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 182, + "startColumn": 25, + "endLine": 182, + "endColumn": 63 + } + }, + "message": { + "text": "getWeblogURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 182, + "startColumn": 9, + "endLine": 182, + "endColumn": 17 + } + }, + "message": { + "text": "pathinfo [post update] : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 212, + "startColumn": 16, + "endLine": 212, + "endColumn": 24 + } + }, + "message": { + "text": "pathinfo : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 212, + "startColumn": 16, + "endLine": 212, + "endColumn": 68 + } + }, + "message": { + "text": "append(...) : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 212, + "startColumn": 16, + "endLine": 212, + "endColumn": 79 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java", + "index": 11 + }, + "region": { + "startLine": 94, + "startColumn": 33, + "endLine": 94, + "endColumn": 154 + } + }, + "message": { + "text": "getWeblogCollectionURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java", + "index": 11 + }, + "region": { + "startLine": 98, + "startColumn": 28, + "endLine": 98, + "endColumn": 34 + } + }, + "message": { + "text": "dayUrl : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java", + "index": 11 + }, + "region": { + "startLine": 98, + "startColumn": 17, + "endLine": 98, + "endColumn": 19 + } + }, + "message": { + "text": "sb [post update] : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java", + "index": 11 + }, + "region": { + "startLine": 127, + "startColumn": 23, + "endLine": 127, + "endColumn": 25 + } + }, + "message": { + "text": "sb : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java", + "index": 11 + }, + "region": { + "startLine": 127, + "startColumn": 23, + "endLine": 127, + "endColumn": 36 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java", + "index": 11 + }, + "region": { + "startLine": 131, + "startColumn": 16, + "endLine": 131, + "endColumn": 23 + } + }, + "message": { + "text": "content : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 216, + "startColumn": 38, + "endLine": 216, + "endColumn": 64 + } + }, + "message": { + "text": "getContent(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 228, + "startColumn": 54, + "endLine": 228, + "endColumn": 61 + } + }, + "message": { + "text": "content : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 298, + "startColumn": 71, + "endLine": 298, + "endColumn": 85 + } + }, + "message": { + "text": "content : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 302, + "startColumn": 23, + "endLine": 302, + "endColumn": 30 + } + }, + "message": { + "text": "content" + } + } + } + ] + } + ] + } + ], + "relatedLocations": [ + { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 0 + }, + "region": { + "startLine": 88, + "startColumn": 42, + "endLine": 88, + "endColumn": 65 + } + }, + "message": { + "text": "user-provided value" + } + } + ], + "properties": { + "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/19", + "github/alertNumber": 19 + } + }, + { + "ruleId": "java/xss", + "rule": { + "id": "java/xss", + "index": 71, + "toolComponent": { + "index": 0 + } + }, + "level": "error", + "message": { + "text": "Cross-site scripting vulnerability due to a [user-provided value](1)." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 307, + "startColumn": 22, + "endLine": 308, + "endColumn": 68 + } + } + } + ], + "correlationGuid": "47fdf168-4a30-4479-a4ee-b5810a9bee24", + "partialFingerprints": { + "primaryLocationLineHash": "6d90bf8993f560aa:1" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 88, + "startColumn": 42, + "endLine": 88, + "endColumn": 65 + } + }, + "message": { + "text": "getRequestURL(...) : StringBuffer" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 88, + "startColumn": 42, + "endLine": 88, + "endColumn": 76 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 99, + "startColumn": 118, + "endLine": 99, + "endColumn": 135 + } + }, + "message": { + "text": "requestURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 116, + "startColumn": 40, + "endLine": 116, + "endColumn": 47 + } + }, + "message": { + "text": "fullUrl : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 137, + "startColumn": 49, + "endLine": 137, + "endColumn": 59 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 141, + "startColumn": 16, + "endLine": 141, + "endColumn": 19 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 116, + "startColumn": 20, + "endLine": 116, + "endColumn": 48 + } + }, + "message": { + "text": "removeTrailingSlash(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 86, + "startColumn": 16, + "endLine": 88, + "endColumn": 77 + } + }, + "message": { + "text": "getAbsoluteUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 66, + "startColumn": 34, + "endLine": 66, + "endColumn": 62 + } + }, + "message": { + "text": "getAbsoluteUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 69, + "startColumn": 62, + "endLine": 69, + "endColumn": 69 + } + }, + "message": { + "text": "absPath : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 175, + "startColumn": 46, + "endLine": 175, + "endColumn": 56 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 176, + "startColumn": 30, + "endLine": 176, + "endColumn": 33 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 51, + "startColumn": 27, + "endLine": 51, + "endColumn": 45 + } + }, + "message": { + "text": "absoluteContextURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 195, + "startColumn": 16, + "endLine": 195, + "endColumn": 34 + } + }, + "message": { + "text": "absoluteContextURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 138, + "startColumn": 26, + "endLine": 138, + "endColumn": 72 + } + }, + "message": { + "text": "getAbsoluteContextURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 138, + "startColumn": 10, + "endLine": 138, + "endColumn": 18 + } + }, + "message": { + "text": "pathinfo [post update] : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 181, + "startColumn": 16, + "endLine": 181, + "endColumn": 24 + } + }, + "message": { + "text": "pathinfo : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 181, + "startColumn": 16, + "endLine": 181, + "endColumn": 68 + } + }, + "message": { + "text": "append(...) : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 181, + "startColumn": 16, + "endLine": 181, + "endColumn": 79 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java", + "index": 11 + }, + "region": { + "startLine": 166, + "startColumn": 23, + "endLine": 166, + "endColumn": 144 + } + }, + "message": { + "text": "getWeblogCollectionURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java", + "index": 11 + }, + "region": { + "startLine": 171, + "startColumn": 16, + "endLine": 171, + "endColumn": 19 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 215, + "startColumn": 34, + "endLine": 215, + "endColumn": 72 + } + }, + "message": { + "text": "computeUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 228, + "startColumn": 49, + "endLine": 228, + "endColumn": 52 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 298, + "startColumn": 59, + "endLine": 298, + "endColumn": 69 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 307, + "startColumn": 22, + "endLine": 308, + "endColumn": 68 + } + }, + "message": { + "text": "... + ..." + } + } + } + ] + } + ] + }, + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 88, + "startColumn": 42, + "endLine": 88, + "endColumn": 65 + } + }, + "message": { + "text": "getRequestURL(...) : StringBuffer" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 88, + "startColumn": 42, + "endLine": 88, + "endColumn": 76 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 99, + "startColumn": 118, + "endLine": 99, + "endColumn": 135 + } + }, + "message": { + "text": "requestURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 125, + "startColumn": 19, + "endLine": 125, + "endColumn": 26 + } + }, + "message": { + "text": "fullUrl : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 125, + "startColumn": 19, + "endLine": 125, + "endColumn": 46 + } + }, + "message": { + "text": "substring(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 134, + "startColumn": 36, + "endLine": 134, + "endColumn": 39 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 137, + "startColumn": 49, + "endLine": 137, + "endColumn": 59 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 139, + "startColumn": 20, + "endLine": 139, + "endColumn": 23 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 139, + "startColumn": 20, + "endLine": 139, + "endColumn": 54 + } + }, + "message": { + "text": "substring(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 134, + "startColumn": 16, + "endLine": 134, + "endColumn": 40 + } + }, + "message": { + "text": "removeTrailingSlash(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 86, + "startColumn": 16, + "endLine": 88, + "endColumn": 77 + } + }, + "message": { + "text": "getAbsoluteUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 66, + "startColumn": 34, + "endLine": 66, + "endColumn": 62 + } + }, + "message": { + "text": "getAbsoluteUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 69, + "startColumn": 62, + "endLine": 69, + "endColumn": 69 + } + }, + "message": { + "text": "absPath : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 175, + "startColumn": 46, + "endLine": 175, + "endColumn": 56 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 176, + "startColumn": 30, + "endLine": 176, + "endColumn": 33 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 51, + "startColumn": 27, + "endLine": 51, + "endColumn": 45 + } + }, + "message": { + "text": "absoluteContextURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 195, + "startColumn": 16, + "endLine": 195, + "endColumn": 34 + } + }, + "message": { + "text": "absoluteContextURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 207, + "startColumn": 29, + "endLine": 207, + "endColumn": 75 + } + }, + "message": { + "text": "getAbsoluteContextURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 207, + "startColumn": 13, + "endLine": 207, + "endColumn": 21 + } + }, + "message": { + "text": "pathinfo [post update] : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 243, + "startColumn": 16, + "endLine": 243, + "endColumn": 24 + } + }, + "message": { + "text": "pathinfo : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 243, + "startColumn": 16, + "endLine": 243, + "endColumn": 68 + } + }, + "message": { + "text": "append(...) : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 243, + "startColumn": 16, + "endLine": 243, + "endColumn": 79 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java", + "index": 12 + }, + "region": { + "startLine": 276, + "startColumn": 23, + "endLine": 276, + "endColumn": 154 + } + }, + "message": { + "text": "getWeblogPageURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java", + "index": 12 + }, + "region": { + "startLine": 281, + "startColumn": 16, + "endLine": 281, + "endColumn": 19 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 215, + "startColumn": 34, + "endLine": 215, + "endColumn": 72 + } + }, + "message": { + "text": "computeUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 228, + "startColumn": 49, + "endLine": 228, + "endColumn": 52 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 298, + "startColumn": 59, + "endLine": 298, + "endColumn": 69 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 307, + "startColumn": 22, + "endLine": 308, + "endColumn": 68 + } + }, + "message": { + "text": "... + ..." + } + } + } + ] + } + ] + }, + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 88, + "startColumn": 42, + "endLine": 88, + "endColumn": 65 + } + }, + "message": { + "text": "getRequestURL(...) : StringBuffer" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 88, + "startColumn": 42, + "endLine": 88, + "endColumn": 76 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 99, + "startColumn": 118, + "endLine": 99, + "endColumn": 135 + } + }, + "message": { + "text": "requestURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 127, + "startColumn": 19, + "endLine": 127, + "endColumn": 26 + } + }, + "message": { + "text": "fullUrl : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 127, + "startColumn": 19, + "endLine": 127, + "endColumn": 33 + } + }, + "message": { + "text": "trim(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 134, + "startColumn": 36, + "endLine": 134, + "endColumn": 39 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 137, + "startColumn": 49, + "endLine": 137, + "endColumn": 59 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 141, + "startColumn": 16, + "endLine": 141, + "endColumn": 19 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 134, + "startColumn": 16, + "endLine": 134, + "endColumn": 40 + } + }, + "message": { + "text": "removeTrailingSlash(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 86, + "startColumn": 16, + "endLine": 88, + "endColumn": 77 + } + }, + "message": { + "text": "getAbsoluteUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 66, + "startColumn": 34, + "endLine": 66, + "endColumn": 62 + } + }, + "message": { + "text": "getAbsoluteUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 69, + "startColumn": 62, + "endLine": 69, + "endColumn": 69 + } + }, + "message": { + "text": "absPath : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 175, + "startColumn": 46, + "endLine": 175, + "endColumn": 56 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 176, + "startColumn": 30, + "endLine": 176, + "endColumn": 33 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 51, + "startColumn": 27, + "endLine": 51, + "endColumn": 45 + } + }, + "message": { + "text": "absoluteContextURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 195, + "startColumn": 16, + "endLine": 195, + "endColumn": 34 + } + }, + "message": { + "text": "absoluteContextURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 63, + "startColumn": 28, + "endLine": 63, + "endColumn": 74 + } + }, + "message": { + "text": "getAbsoluteContextURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 63, + "startColumn": 17, + "endLine": 63, + "endColumn": 20 + } + }, + "message": { + "text": "url [post update] : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 75, + "startColumn": 16, + "endLine": 75, + "endColumn": 19 + } + }, + "message": { + "text": "url : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 75, + "startColumn": 16, + "endLine": 75, + "endColumn": 30 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 182, + "startColumn": 25, + "endLine": 182, + "endColumn": 63 + } + }, + "message": { + "text": "getWeblogURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 182, + "startColumn": 9, + "endLine": 182, + "endColumn": 17 + } + }, + "message": { + "text": "pathinfo [post update] : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 212, + "startColumn": 16, + "endLine": 212, + "endColumn": 24 + } + }, + "message": { + "text": "pathinfo : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 212, + "startColumn": 16, + "endLine": 212, + "endColumn": 68 + } + }, + "message": { + "text": "append(...) : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 212, + "startColumn": 16, + "endLine": 212, + "endColumn": 79 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java", + "index": 12 + }, + "region": { + "startLine": 273, + "startColumn": 23, + "endLine": 273, + "endColumn": 144 + } + }, + "message": { + "text": "getWeblogCollectionURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java", + "index": 12 + }, + "region": { + "startLine": 281, + "startColumn": 16, + "endLine": 281, + "endColumn": 19 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 215, + "startColumn": 34, + "endLine": 215, + "endColumn": 72 + } + }, + "message": { + "text": "computeUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 228, + "startColumn": 49, + "endLine": 228, + "endColumn": 52 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 298, + "startColumn": 59, + "endLine": 298, + "endColumn": 69 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 307, + "startColumn": 22, + "endLine": 308, + "endColumn": 68 + } + }, + "message": { + "text": "... + ..." + } + } + } + ] + } + ] + }, + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 88, + "startColumn": 42, + "endLine": 88, + "endColumn": 65 + } + }, + "message": { + "text": "getRequestURL(...) : StringBuffer" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 88, + "startColumn": 42, + "endLine": 88, + "endColumn": 76 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 99, + "startColumn": 118, + "endLine": 99, + "endColumn": 135 + } + }, + "message": { + "text": "requestURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 116, + "startColumn": 40, + "endLine": 116, + "endColumn": 47 + } + }, + "message": { + "text": "fullUrl : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 137, + "startColumn": 49, + "endLine": 137, + "endColumn": 59 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 141, + "startColumn": 16, + "endLine": 141, + "endColumn": 19 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 116, + "startColumn": 20, + "endLine": 116, + "endColumn": 48 + } + }, + "message": { + "text": "removeTrailingSlash(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 86, + "startColumn": 16, + "endLine": 88, + "endColumn": 77 + } + }, + "message": { + "text": "getAbsoluteUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 66, + "startColumn": 34, + "endLine": 66, + "endColumn": 62 + } + }, + "message": { + "text": "getAbsoluteUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 8 + }, + "region": { + "startLine": 69, + "startColumn": 62, + "endLine": 69, + "endColumn": 69 + } + }, + "message": { + "text": "absPath : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 175, + "startColumn": 46, + "endLine": 175, + "endColumn": 56 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 176, + "startColumn": 30, + "endLine": 176, + "endColumn": 33 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 51, + "startColumn": 27, + "endLine": 51, + "endColumn": 45 + } + }, + "message": { + "text": "absoluteContextURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java", + "index": 9 + }, + "region": { + "startLine": 195, + "startColumn": 16, + "endLine": 195, + "endColumn": 34 + } + }, + "message": { + "text": "absoluteContextURL : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 58, + "startColumn": 24, + "endLine": 58, + "endColumn": 70 + } + }, + "message": { + "text": "getAbsoluteContextURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 58, + "startColumn": 13, + "endLine": 58, + "endColumn": 16 + } + }, + "message": { + "text": "url [post update] : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 74, + "startColumn": 16, + "endLine": 74, + "endColumn": 19 + } + }, + "message": { + "text": "url : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 74, + "startColumn": 16, + "endLine": 74, + "endColumn": 63 + } + }, + "message": { + "text": "append(...) : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java", + "index": 10 + }, + "region": { + "startLine": 74, + "startColumn": 16, + "endLine": 74, + "endColumn": 74 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 237, + "startColumn": 25, + "endLine": 237, + "endColumn": 63 + } + }, + "message": { + "text": "getWeblogURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 237, + "startColumn": 9, + "endLine": 237, + "endColumn": 17 + } + }, + "message": { + "text": "pathinfo [post update] : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 260, + "startColumn": 16, + "endLine": 260, + "endColumn": 24 + } + }, + "message": { + "text": "pathinfo : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 260, + "startColumn": 16, + "endLine": 260, + "endColumn": 68 + } + }, + "message": { + "text": "append(...) : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java", + "index": 13 + }, + "region": { + "startLine": 260, + "startColumn": 16, + "endLine": 260, + "endColumn": 79 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java", + "index": 11 + }, + "region": { + "startLine": 163, + "startColumn": 23, + "endLine": 163, + "endColumn": 154 + } + }, + "message": { + "text": "getWeblogPageURL(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java", + "index": 11 + }, + "region": { + "startLine": 171, + "startColumn": 16, + "endLine": 171, + "endColumn": 19 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 215, + "startColumn": 34, + "endLine": 215, + "endColumn": 72 + } + }, + "message": { + "text": "computeUrl(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 228, + "startColumn": 49, + "endLine": 228, + "endColumn": 52 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 298, + "startColumn": 59, + "endLine": 298, + "endColumn": 69 + } + }, + "message": { + "text": "url : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java", + "index": 7 + }, + "region": { + "startLine": 307, + "startColumn": 22, + "endLine": 308, + "endColumn": 68 + } + }, + "message": { + "text": "... + ..." + } + } + } + ] + } + ] + } + ], + "relatedLocations": [ + { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java", + "index": 0 + }, + "region": { + "startLine": 88, + "startColumn": 42, + "endLine": 88, + "endColumn": 65 + } + }, + "message": { + "text": "user-provided value" + } + } + ], + "properties": { + "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/20", + "github/alertNumber": 20 + } + }, + { + "ruleId": "java/xss", + "rule": { + "id": "java/xss", + "index": 71, + "toolComponent": { + "index": 0 + } + }, + "level": "error", + "message": { + "text": "Cross-site scripting vulnerability due to a [user-provided value](1).\nCross-site scripting vulnerability due to a [user-provided value](2)." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/rendering/servlets/CommentAuthenticatorServlet.java", + "index": 15 + }, + "region": { + "startLine": 66, + "startColumn": 21, + "endLine": 66, + "endColumn": 56 + } + } + } + ], + "correlationGuid": "1b6fba72-5d1f-48f1-9f91-ddaa6ff07f20", + "partialFingerprints": { + "primaryLocationLineHash": "e41b363d572cf6d8:1" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/rendering/plugins/comments/LdapCommentAuthenticator.java", + "index": 16 + }, + "region": { + "startLine": 72, + "startColumn": 26, + "endLine": 72, + "endColumn": 58 + } + }, + "message": { + "text": "getParameter(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/rendering/plugins/comments/LdapCommentAuthenticator.java", + "index": 16 + }, + "region": { + "startLine": 87, + "startColumn": 13, + "endLine": 87, + "endColumn": 29 + } + }, + "message": { + "text": "... + ... : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/rendering/plugins/comments/LdapCommentAuthenticator.java", + "index": 16 + }, + "region": { + "startLine": 87, + "startColumn": 3, + "endLine": 87, + "endColumn": 5 + } + }, + "message": { + "text": "sb [post update] : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/rendering/plugins/comments/LdapCommentAuthenticator.java", + "index": 16 + }, + "region": { + "startLine": 97, + "startColumn": 10, + "endLine": 97, + "endColumn": 12 + } + }, + "message": { + "text": "sb : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/rendering/plugins/comments/LdapCommentAuthenticator.java", + "index": 16 + }, + "region": { + "startLine": 97, + "startColumn": 10, + "endLine": 97, + "endColumn": 23 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/rendering/servlets/CommentAuthenticatorServlet.java", + "index": 15 + }, + "region": { + "startLine": 66, + "startColumn": 21, + "endLine": 66, + "endColumn": 56 + } + }, + "message": { + "text": "getHtml(...)" + } + } + } + ] + } + ] + }, + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/rendering/plugins/comments/LdapCommentAuthenticator.java", + "index": 16 + }, + "region": { + "startLine": 73, + "startColumn": 26, + "endLine": 73, + "endColumn": 58 + } + }, + "message": { + "text": "getParameter(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/rendering/plugins/comments/LdapCommentAuthenticator.java", + "index": 16 + }, + "region": { + "startLine": 94, + "startColumn": 13, + "endLine": 94, + "endColumn": 29 + } + }, + "message": { + "text": "... + ... : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/rendering/plugins/comments/LdapCommentAuthenticator.java", + "index": 16 + }, + "region": { + "startLine": 94, + "startColumn": 3, + "endLine": 94, + "endColumn": 5 + } + }, + "message": { + "text": "sb [post update] : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/rendering/plugins/comments/LdapCommentAuthenticator.java", + "index": 16 + }, + "region": { + "startLine": 97, + "startColumn": 10, + "endLine": 97, + "endColumn": 12 + } + }, + "message": { + "text": "sb : StringBuilder" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/rendering/plugins/comments/LdapCommentAuthenticator.java", + "index": 16 + }, + "region": { + "startLine": 97, + "startColumn": 10, + "endLine": 97, + "endColumn": 23 + } + }, + "message": { + "text": "toString(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/rendering/servlets/CommentAuthenticatorServlet.java", + "index": 15 + }, + "region": { + "startLine": 66, + "startColumn": 21, + "endLine": 66, + "endColumn": 56 + } + }, + "message": { + "text": "getHtml(...)" + } + } + } + ] + } + ] + } + ], + "relatedLocations": [ + { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/rendering/plugins/comments/LdapCommentAuthenticator.java", + "index": 0 + }, + "region": { + "startLine": 72, + "startColumn": 26, + "endLine": 72, + "endColumn": 58 + } + }, + "message": { + "text": "user-provided value" + } + }, + { + "id": 2, + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/rendering/plugins/comments/LdapCommentAuthenticator.java", + "index": 0 + }, + "region": { + "startLine": 73, + "startColumn": 26, + "endLine": 73, + "endColumn": 58 + } + }, + "message": { + "text": "user-provided value" + } + } + ], + "properties": { + "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/21", + "github/alertNumber": 21 + } + }, + { + "ruleId": "java/path-injection", + "rule": { + "id": "java/path-injection", + "index": 37, + "toolComponent": { + "index": 0 + } + }, + "level": "error", + "message": { + "text": "This path depends on a [user-provided value](1)." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarksImport.java", + "index": 17 + }, + "region": { + "startLine": 81, + "startColumn": 37, + "endLine": 81, + "endColumn": 50 + } + } + } + ], + "correlationGuid": "41fb6220-c807-46cf-8acf-a02ad395aa77", + "partialFingerprints": { + "primaryLocationLineHash": "cf23dfd372a61ea3:1" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarksImport.java", + "index": 17 + }, + "region": { + "startLine": 50, + "startColumn": 18, + "endLine": 50, + "endColumn": 26 + } + }, + "message": { + "text": "opmlFile : File" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarksImport.java", + "index": 17 + }, + "region": { + "startLine": 142, + "startColumn": 16, + "endLine": 142, + "endColumn": 24 + } + }, + "message": { + "text": "opmlFile : File" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarksImport.java", + "index": 17 + }, + "region": { + "startLine": 81, + "startColumn": 37, + "endLine": 81, + "endColumn": 50 + } + }, + "message": { + "text": "getOpmlFile(...)" + } + } + } + ] + } + ] + } + ], + "relatedLocations": [ + { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarksImport.java", + "index": 0 + }, + "region": { + "startLine": 50, + "startColumn": 18, + "endLine": 50, + "endColumn": 26 + } + }, + "message": { + "text": "user-provided value" + } + } + ], + "properties": { + "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/22", + "github/alertNumber": 22 + } + }, + { + "ruleId": "java/path-injection", + "rule": { + "id": "java/path-injection", + "index": 37, + "toolComponent": { + "index": 0 + } + }, + "level": "error", + "message": { + "text": "This path depends on a [user-provided value](1)." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarksImport.java", + "index": 17 + }, + "region": { + "startLine": 86, + "startColumn": 50, + "endLine": 86, + "endColumn": 63 + } + } + } + ], + "correlationGuid": "19ac3ae8-6aee-4c71-83e5-3ad805b42e72", + "partialFingerprints": { + "primaryLocationLineHash": "103f70b0007fdfad:1" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarksImport.java", + "index": 17 + }, + "region": { + "startLine": 50, + "startColumn": 18, + "endLine": 50, + "endColumn": 26 + } + }, + "message": { + "text": "opmlFile : File" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarksImport.java", + "index": 17 + }, + "region": { + "startLine": 142, + "startColumn": 16, + "endLine": 142, + "endColumn": 24 + } + }, + "message": { + "text": "opmlFile : File" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarksImport.java", + "index": 17 + }, + "region": { + "startLine": 86, + "startColumn": 50, + "endLine": 86, + "endColumn": 63 + } + }, + "message": { + "text": "getOpmlFile(...)" + } + } + } + ] + } + ] + } + ], + "relatedLocations": [ + { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarksImport.java", + "index": 0 + }, + "region": { + "startLine": 50, + "startColumn": 18, + "endLine": 50, + "endColumn": 26 + } + }, + "message": { + "text": "user-provided value" + } + } + ], + "properties": { + "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/23", + "github/alertNumber": 23 + } + }, + { + "ruleId": "java/path-injection", + "rule": { + "id": "java/path-injection", + "index": 37, + "toolComponent": { + "index": 0 + } + }, + "level": "error", + "message": { + "text": "This path depends on a [user-provided value](1)." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarksImport.java", + "index": 17 + }, + "region": { + "startLine": 112, + "startColumn": 21, + "endLine": 112, + "endColumn": 34 + } + } + } + ], + "correlationGuid": "bd7ccb79-f108-47d2-ba9c-03ae9ca99d04", + "partialFingerprints": { + "primaryLocationLineHash": "9a91c0ae5a3ea9d:1" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarksImport.java", + "index": 17 + }, + "region": { + "startLine": 50, + "startColumn": 18, + "endLine": 50, + "endColumn": 26 + } + }, + "message": { + "text": "opmlFile : File" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarksImport.java", + "index": 17 + }, + "region": { + "startLine": 142, + "startColumn": 16, + "endLine": 142, + "endColumn": 24 + } + }, + "message": { + "text": "opmlFile : File" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarksImport.java", + "index": 17 + }, + "region": { + "startLine": 112, + "startColumn": 21, + "endLine": 112, + "endColumn": 34 + } + }, + "message": { + "text": "getOpmlFile(...)" + } + } + } + ] + } + ] + } + ], + "relatedLocations": [ + { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarksImport.java", + "index": 0 + }, + "region": { + "startLine": 50, + "startColumn": 18, + "endLine": 50, + "endColumn": 26 + } + }, + "message": { + "text": "user-provided value" + } + } + ], + "properties": { + "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/24", + "github/alertNumber": 24 + } + }, + { + "ruleId": "java/path-injection", + "rule": { + "id": "java/path-injection", + "index": 37, + "toolComponent": { + "index": 0 + } + }, + "level": "error", + "message": { + "text": "This path depends on a [user-provided value](1)." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/MediaFileAdd.java", + "index": 18 + }, + "region": { + "startLine": 147, + "startColumn": 48, + "endLine": 147, + "endColumn": 58 + } + } + } + ], + "correlationGuid": "16ab249d-cb7d-4003-bb25-4237836305d5", + "partialFingerprints": { + "primaryLocationLineHash": "77597f482b4d5d50:1" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/MediaFileAdd.java", + "index": 18 + }, + "region": { + "startLine": 53, + "startColumn": 20, + "endLine": 53, + "endColumn": 33 + } + }, + "message": { + "text": "uploadedFiles : File[]" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/MediaFileAdd.java", + "index": 18 + }, + "region": { + "startLine": 266, + "startColumn": 16, + "endLine": 266, + "endColumn": 29 + } + }, + "message": { + "text": "uploadedFiles : File[]" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/MediaFileAdd.java", + "index": 18 + }, + "region": { + "startLine": 139, + "startColumn": 30, + "endLine": 139, + "endColumn": 48 + } + }, + "message": { + "text": "getUploadedFiles(...) : File[]" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/MediaFileAdd.java", + "index": 18 + }, + "region": { + "startLine": 147, + "startColumn": 48, + "endLine": 147, + "endColumn": 58 + } + }, + "message": { + "text": "...[...]" + } + } + } + ] + } + ] + } + ], + "relatedLocations": [ + { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/MediaFileAdd.java", + "index": 0 + }, + "region": { + "startLine": 53, + "startColumn": 20, + "endLine": 53, + "endColumn": 33 + } + }, + "message": { + "text": "user-provided value" + } + } + ], + "properties": { + "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/25", + "github/alertNumber": 25 + } + }, + { + "ruleId": "java/path-injection", + "rule": { + "id": "java/path-injection", + "index": 37, + "toolComponent": { + "index": 0 + } + }, + "level": "error", + "message": { + "text": "This path depends on a [user-provided value](1)." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/MediaFileAdd.java", + "index": 18 + }, + "region": { + "startLine": 175, + "startColumn": 33, + "endLine": 175, + "endColumn": 54 + } + } + } + ], + "correlationGuid": "485410bf-8cbf-48eb-8680-82e1d52843ff", + "partialFingerprints": { + "primaryLocationLineHash": "2b2bb9cdd3635201:1" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/MediaFileAdd.java", + "index": 18 + }, + "region": { + "startLine": 53, + "startColumn": 20, + "endLine": 53, + "endColumn": 33 + } + }, + "message": { + "text": "uploadedFiles : File[]" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/MediaFileAdd.java", + "index": 18 + }, + "region": { + "startLine": 173, + "startColumn": 45, + "endLine": 173, + "endColumn": 63 + } + }, + "message": { + "text": "this.uploadedFiles : File[]" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/MediaFileAdd.java", + "index": 18 + }, + "region": { + "startLine": 175, + "startColumn": 33, + "endLine": 175, + "endColumn": 54 + } + }, + "message": { + "text": "...[...]" + } + } + } + ] + } + ] + }, + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/MediaFileAdd.java", + "index": 18 + }, + "region": { + "startLine": 53, + "startColumn": 20, + "endLine": 53, + "endColumn": 33 + } + }, + "message": { + "text": "uploadedFiles : File[]" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/MediaFileAdd.java", + "index": 18 + }, + "region": { + "startLine": 175, + "startColumn": 33, + "endLine": 175, + "endColumn": 51 + } + }, + "message": { + "text": "this.uploadedFiles : File[]" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/MediaFileAdd.java", + "index": 18 + }, + "region": { + "startLine": 175, + "startColumn": 33, + "endLine": 175, + "endColumn": 54 + } + }, + "message": { + "text": "...[...]" + } + } + } + ] + } + ] + } + ], + "relatedLocations": [ + { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/MediaFileAdd.java", + "index": 0 + }, + "region": { + "startLine": 53, + "startColumn": 20, + "endLine": 53, + "endColumn": 33 + } + }, + "message": { + "text": "user-provided value" + } + } + ], + "properties": { + "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/26", + "github/alertNumber": 26 + } + }, + { + "ruleId": "java/path-injection", + "rule": { + "id": "java/path-injection", + "index": 37, + "toolComponent": { + "index": 0 + } + }, + "level": "error", + "message": { + "text": "This path depends on a [user-provided value](1)." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/MediaFileEdit.java", + "index": 19 + }, + "region": { + "startLine": 129, + "startColumn": 49, + "endLine": 129, + "endColumn": 66 + } + } + } + ], + "correlationGuid": "3088f3ec-6971-4d9e-98fc-8f02dfab52c3", + "partialFingerprints": { + "primaryLocationLineHash": "9449418b46954eb:1" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/MediaFileEdit.java", + "index": 19 + }, + "region": { + "startLine": 47, + "startColumn": 18, + "endLine": 47, + "endColumn": 30 + } + }, + "message": { + "text": "uploadedFile : File" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/MediaFileEdit.java", + "index": 19 + }, + "region": { + "startLine": 129, + "startColumn": 49, + "endLine": 129, + "endColumn": 66 + } + }, + "message": { + "text": "this.uploadedFile" + } + } + } + ] + } + ] + }, + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/MediaFileEdit.java", + "index": 19 + }, + "region": { + "startLine": 47, + "startColumn": 18, + "endLine": 47, + "endColumn": 30 + } + }, + "message": { + "text": "uploadedFile : File" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/MediaFileEdit.java", + "index": 19 + }, + "region": { + "startLine": 125, + "startColumn": 21, + "endLine": 125, + "endColumn": 33 + } + }, + "message": { + "text": "uploadedFile : File" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/MediaFileEdit.java", + "index": 19 + }, + "region": { + "startLine": 129, + "startColumn": 49, + "endLine": 129, + "endColumn": 66 + } + }, + "message": { + "text": "this.uploadedFile" + } + } + } + ] + } + ] + }, + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/MediaFileEdit.java", + "index": 19 + }, + "region": { + "startLine": 47, + "startColumn": 18, + "endLine": 47, + "endColumn": 30 + } + }, + "message": { + "text": "uploadedFile : File" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/MediaFileEdit.java", + "index": 19 + }, + "region": { + "startLine": 126, + "startColumn": 41, + "endLine": 126, + "endColumn": 58 + } + }, + "message": { + "text": "this.uploadedFile : File" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/MediaFileEdit.java", + "index": 19 + }, + "region": { + "startLine": 129, + "startColumn": 49, + "endLine": 129, + "endColumn": 66 + } + }, + "message": { + "text": "this.uploadedFile" + } + } + } + ] + } + ] + } + ], + "relatedLocations": [ + { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/MediaFileEdit.java", + "index": 0 + }, + "region": { + "startLine": 47, + "startColumn": 18, + "endLine": 47, + "endColumn": 30 + } + }, + "message": { + "text": "user-provided value" + } + } + ], + "properties": { + "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/27", + "github/alertNumber": 27 + } + }, + { + "ruleId": "java/polynomial-redos", + "rule": { + "id": "java/polynomial-redos", + "index": 38, + "toolComponent": { + "index": 0 + } + }, + "message": { + "text": "This [regular expression](1) that depends on a [user-provided value](2) may run slow on strings starting with 'b' and with many repetitions of 'b'." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java", + "index": 20 + }, + "region": { + "startLine": 62, + "startColumn": 52, + "endLine": 62, + "endColumn": 55 + } + } + } + ], + "correlationGuid": "2f63c4a7-4170-47c8-917b-9ca3a0115f38", + "partialFingerprints": { + "primaryLocationLineHash": "f22c138a13ff3a37:1" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java", + "index": 21 + }, + "region": { + "startLine": 75, + "startColumn": 25, + "endLine": 75, + "endColumn": 30 + } + }, + "message": { + "text": "entry : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java", + "index": 21 + }, + "region": { + "startLine": 323, + "startColumn": 16, + "endLine": 323, + "endColumn": 21 + } + }, + "message": { + "text": "entry : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java", + "index": 21 + }, + "region": { + "startLine": 387, + "startColumn": 53, + "endLine": 387, + "endColumn": 63 + } + }, + "message": { + "text": "getEntry(...) : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java", + "index": 22 + }, + "region": { + "startLine": 58, + "startColumn": 22, + "endLine": 58, + "endColumn": 40 + } + }, + "message": { + "text": "tEntry : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java", + "index": 22 + }, + "region": { + "startLine": 89, + "startColumn": 21, + "endLine": 89, + "endColumn": 27 + } + }, + "message": { + "text": "tEntry : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java", + "index": 22 + }, + "region": { + "startLine": 89, + "startColumn": 13, + "endLine": 89, + "endColumn": 18 + } + }, + "message": { + "text": "this <.field> [post update] : Trackback [entry] : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java", + "index": 22 + }, + "region": { + "startLine": 58, + "startColumn": 12, + "endLine": 58, + "endColumn": 21 + } + }, + "message": { + "text": "parameter this [Return] : Trackback [entry] : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java", + "index": 21 + }, + "region": { + "startLine": 387, + "startColumn": 39, + "endLine": 388, + "endColumn": 43 + } + }, + "message": { + "text": "new Trackback(...) : Trackback [entry] : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java", + "index": 21 + }, + "region": { + "startLine": 389, + "startColumn": 27, + "endLine": 389, + "endColumn": 36 + } + }, + "message": { + "text": "trackback : Trackback [entry] : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java", + "index": 22 + }, + "region": { + "startLine": 100, + "startColumn": 27, + "endLine": 100, + "endColumn": 31 + } + }, + "message": { + "text": "parameter this : Trackback [entry] : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java", + "index": 22 + }, + "region": { + "startLine": 108, + "startColumn": 65, + "endLine": 108, + "endColumn": 70 + } + }, + "message": { + "text": "this <.field> : Trackback [entry] : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java", + "index": 22 + }, + "region": { + "startLine": 108, + "startColumn": 65, + "endLine": 108, + "endColumn": 70 + } + }, + "message": { + "text": "entry : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java", + "index": 14 + }, + "region": { + "startLine": 1018, + "startColumn": 19, + "endLine": 1018, + "endColumn": 36 + } + }, + "message": { + "text": "parameter this : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java", + "index": 14 + }, + "region": { + "startLine": 1019, + "startColumn": 16, + "endLine": 1019, + "endColumn": 36 + } + }, + "message": { + "text": "this <.method> : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java", + "index": 14 + }, + "region": { + "startLine": 980, + "startColumn": 19, + "endLine": 980, + "endColumn": 33 + } + }, + "message": { + "text": "parameter this : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java", + "index": 14 + }, + "region": { + "startLine": 988, + "startColumn": 34, + "endLine": 988, + "endColumn": 38 + } + }, + "message": { + "text": "this : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java", + "index": 14 + }, + "region": { + "startLine": 897, + "startColumn": 19, + "endLine": 897, + "endColumn": 37 + } + }, + "message": { + "text": "parameter this : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java", + "index": 14 + }, + "region": { + "startLine": 898, + "startColumn": 23, + "endLine": 898, + "endColumn": 32 + } + }, + "message": { + "text": "this <.method> : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java", + "index": 14 + }, + "region": { + "startLine": 302, + "startColumn": 19, + "endLine": 302, + "endColumn": 26 + } + }, + "message": { + "text": "parameter this : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java", + "index": 14 + }, + "region": { + "startLine": 303, + "startColumn": 16, + "endLine": 303, + "endColumn": 25 + } + }, + "message": { + "text": "this.text : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java", + "index": 14 + }, + "region": { + "startLine": 898, + "startColumn": 23, + "endLine": 898, + "endColumn": 32 + } + }, + "message": { + "text": "getText(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java", + "index": 14 + }, + "region": { + "startLine": 943, + "startColumn": 27, + "endLine": 943, + "endColumn": 37 + } + }, + "message": { + "text": "str : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java", + "index": 14 + }, + "region": { + "startLine": 960, + "startColumn": 59, + "endLine": 960, + "endColumn": 62 + } + }, + "message": { + "text": "ret : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java", + "index": 23 + }, + "region": { + "startLine": 65, + "startColumn": 45, + "endLine": 65, + "endColumn": 55 + } + }, + "message": { + "text": "str : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java", + "index": 23 + }, + "region": { + "startLine": 66, + "startColumn": 38, + "endLine": 66, + "endColumn": 41 + } + }, + "message": { + "text": "str : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java", + "index": 20 + }, + "region": { + "startLine": 41, + "startColumn": 38, + "endLine": 41, + "endColumn": 48 + } + }, + "message": { + "text": "str : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java", + "index": 20 + }, + "region": { + "startLine": 52, + "startColumn": 31, + "endLine": 52, + "endColumn": 34 + } + }, + "message": { + "text": "str : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java", + "index": 20 + }, + "region": { + "startLine": 61, + "startColumn": 41, + "endLine": 61, + "endColumn": 51 + } + }, + "message": { + "text": "str : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java", + "index": 20 + }, + "region": { + "startLine": 62, + "startColumn": 52, + "endLine": 62, + "endColumn": 55 + } + }, + "message": { + "text": "str" + } + } + } + ] + } + ] + }, + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java", + "index": 21 + }, + "region": { + "startLine": 75, + "startColumn": 25, + "endLine": 75, + "endColumn": 30 + } + }, + "message": { + "text": "entry : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java", + "index": 21 + }, + "region": { + "startLine": 323, + "startColumn": 16, + "endLine": 323, + "endColumn": 21 + } + }, + "message": { + "text": "entry : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java", + "index": 21 + }, + "region": { + "startLine": 387, + "startColumn": 53, + "endLine": 387, + "endColumn": 63 + } + }, + "message": { + "text": "getEntry(...) : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java", + "index": 22 + }, + "region": { + "startLine": 58, + "startColumn": 22, + "endLine": 58, + "endColumn": 40 + } + }, + "message": { + "text": "tEntry : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java", + "index": 22 + }, + "region": { + "startLine": 89, + "startColumn": 21, + "endLine": 89, + "endColumn": 27 + } + }, + "message": { + "text": "tEntry : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java", + "index": 22 + }, + "region": { + "startLine": 89, + "startColumn": 13, + "endLine": 89, + "endColumn": 18 + } + }, + "message": { + "text": "this <.field> [post update] : Trackback [entry] : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java", + "index": 22 + }, + "region": { + "startLine": 58, + "startColumn": 12, + "endLine": 58, + "endColumn": 21 + } + }, + "message": { + "text": "parameter this [Return] : Trackback [entry] : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java", + "index": 21 + }, + "region": { + "startLine": 387, + "startColumn": 39, + "endLine": 388, + "endColumn": 43 + } + }, + "message": { + "text": "new Trackback(...) : Trackback [entry] : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java", + "index": 21 + }, + "region": { + "startLine": 389, + "startColumn": 27, + "endLine": 389, + "endColumn": 36 + } + }, + "message": { + "text": "trackback : Trackback [entry] : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java", + "index": 22 + }, + "region": { + "startLine": 100, + "startColumn": 27, + "endLine": 100, + "endColumn": 31 + } + }, + "message": { + "text": "parameter this : Trackback [entry] : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java", + "index": 22 + }, + "region": { + "startLine": 107, + "startColumn": 24, + "endLine": 107, + "endColumn": 29 + } + }, + "message": { + "text": "this <.field> : Trackback [entry] : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java", + "index": 22 + }, + "region": { + "startLine": 107, + "startColumn": 24, + "endLine": 107, + "endColumn": 29 + } + }, + "message": { + "text": "entry : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java", + "index": 22 + }, + "region": { + "startLine": 108, + "startColumn": 65, + "endLine": 108, + "endColumn": 70 + } + }, + "message": { + "text": "entry : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java", + "index": 14 + }, + "region": { + "startLine": 1018, + "startColumn": 19, + "endLine": 1018, + "endColumn": 36 + } + }, + "message": { + "text": "parameter this : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java", + "index": 14 + }, + "region": { + "startLine": 1019, + "startColumn": 16, + "endLine": 1019, + "endColumn": 36 + } + }, + "message": { + "text": "this <.method> : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java", + "index": 14 + }, + "region": { + "startLine": 980, + "startColumn": 19, + "endLine": 980, + "endColumn": 33 + } + }, + "message": { + "text": "parameter this : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java", + "index": 14 + }, + "region": { + "startLine": 990, + "startColumn": 34, + "endLine": 990, + "endColumn": 38 + } + }, + "message": { + "text": "this : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java", + "index": 14 + }, + "region": { + "startLine": 904, + "startColumn": 19, + "endLine": 904, + "endColumn": 40 + } + }, + "message": { + "text": "parameter this : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java", + "index": 14 + }, + "region": { + "startLine": 905, + "startColumn": 23, + "endLine": 905, + "endColumn": 35 + } + }, + "message": { + "text": "this <.method> : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java", + "index": 14 + }, + "region": { + "startLine": 274, + "startColumn": 19, + "endLine": 274, + "endColumn": 29 + } + }, + "message": { + "text": "parameter this : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java", + "index": 14 + }, + "region": { + "startLine": 275, + "startColumn": 16, + "endLine": 275, + "endColumn": 23 + } + }, + "message": { + "text": "summary : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java", + "index": 14 + }, + "region": { + "startLine": 905, + "startColumn": 23, + "endLine": 905, + "endColumn": 35 + } + }, + "message": { + "text": "getSummary(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java", + "index": 14 + }, + "region": { + "startLine": 943, + "startColumn": 27, + "endLine": 943, + "endColumn": 37 + } + }, + "message": { + "text": "str : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java", + "index": 14 + }, + "region": { + "startLine": 960, + "startColumn": 59, + "endLine": 960, + "endColumn": 62 + } + }, + "message": { + "text": "ret : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java", + "index": 23 + }, + "region": { + "startLine": 65, + "startColumn": 45, + "endLine": 65, + "endColumn": 55 + } + }, + "message": { + "text": "str : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java", + "index": 23 + }, + "region": { + "startLine": 66, + "startColumn": 38, + "endLine": 66, + "endColumn": 41 + } + }, + "message": { + "text": "str : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java", + "index": 20 + }, + "region": { + "startLine": 41, + "startColumn": 38, + "endLine": 41, + "endColumn": 48 + } + }, + "message": { + "text": "str : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java", + "index": 20 + }, + "region": { + "startLine": 49, + "startColumn": 19, + "endLine": 49, + "endColumn": 22 + } + }, + "message": { + "text": "str : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java", + "index": 20 + }, + "region": { + "startLine": 49, + "startColumn": 19, + "endLine": 49, + "endColumn": 69 + } + }, + "message": { + "text": "replaceFirst(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java", + "index": 20 + }, + "region": { + "startLine": 52, + "startColumn": 31, + "endLine": 52, + "endColumn": 34 + } + }, + "message": { + "text": "str : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java", + "index": 20 + }, + "region": { + "startLine": 61, + "startColumn": 41, + "endLine": 61, + "endColumn": 51 + } + }, + "message": { + "text": "str : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java", + "index": 20 + }, + "region": { + "startLine": 62, + "startColumn": 52, + "endLine": 62, + "endColumn": 55 + } + }, + "message": { + "text": "str" + } + } + } + ] + } + ] + }, + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java", + "index": 21 + }, + "region": { + "startLine": 75, + "startColumn": 25, + "endLine": 75, + "endColumn": 30 + } + }, + "message": { + "text": "entry : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java", + "index": 21 + }, + "region": { + "startLine": 323, + "startColumn": 16, + "endLine": 323, + "endColumn": 21 + } + }, + "message": { + "text": "entry : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java", + "index": 21 + }, + "region": { + "startLine": 387, + "startColumn": 53, + "endLine": 387, + "endColumn": 63 + } + }, + "message": { + "text": "getEntry(...) : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java", + "index": 22 + }, + "region": { + "startLine": 58, + "startColumn": 22, + "endLine": 58, + "endColumn": 40 + } + }, + "message": { + "text": "tEntry : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java", + "index": 22 + }, + "region": { + "startLine": 89, + "startColumn": 21, + "endLine": 89, + "endColumn": 27 + } + }, + "message": { + "text": "tEntry : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java", + "index": 22 + }, + "region": { + "startLine": 89, + "startColumn": 13, + "endLine": 89, + "endColumn": 18 + } + }, + "message": { + "text": "this <.field> [post update] : Trackback [entry] : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java", + "index": 22 + }, + "region": { + "startLine": 58, + "startColumn": 12, + "endLine": 58, + "endColumn": 21 + } + }, + "message": { + "text": "parameter this [Return] : Trackback [entry] : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java", + "index": 21 + }, + "region": { + "startLine": 387, + "startColumn": 39, + "endLine": 388, + "endColumn": 43 + } + }, + "message": { + "text": "new Trackback(...) : Trackback [entry] : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java", + "index": 21 + }, + "region": { + "startLine": 389, + "startColumn": 27, + "endLine": 389, + "endColumn": 36 + } + }, + "message": { + "text": "trackback : Trackback [entry] : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java", + "index": 22 + }, + "region": { + "startLine": 100, + "startColumn": 27, + "endLine": 100, + "endColumn": 31 + } + }, + "message": { + "text": "parameter this : Trackback [entry] : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java", + "index": 22 + }, + "region": { + "startLine": 108, + "startColumn": 65, + "endLine": 108, + "endColumn": 70 + } + }, + "message": { + "text": "this <.field> : Trackback [entry] : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java", + "index": 22 + }, + "region": { + "startLine": 108, + "startColumn": 65, + "endLine": 108, + "endColumn": 70 + } + }, + "message": { + "text": "entry : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java", + "index": 14 + }, + "region": { + "startLine": 1018, + "startColumn": 19, + "endLine": 1018, + "endColumn": 36 + } + }, + "message": { + "text": "parameter this : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java", + "index": 14 + }, + "region": { + "startLine": 1019, + "startColumn": 16, + "endLine": 1019, + "endColumn": 36 + } + }, + "message": { + "text": "this <.method> : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java", + "index": 14 + }, + "region": { + "startLine": 980, + "startColumn": 19, + "endLine": 980, + "endColumn": 33 + } + }, + "message": { + "text": "parameter this : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java", + "index": 14 + }, + "region": { + "startLine": 996, + "startColumn": 34, + "endLine": 996, + "endColumn": 38 + } + }, + "message": { + "text": "this : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java", + "index": 14 + }, + "region": { + "startLine": 904, + "startColumn": 19, + "endLine": 904, + "endColumn": 40 + } + }, + "message": { + "text": "parameter this : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java", + "index": 14 + }, + "region": { + "startLine": 905, + "startColumn": 23, + "endLine": 905, + "endColumn": 35 + } + }, + "message": { + "text": "this <.method> : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java", + "index": 14 + }, + "region": { + "startLine": 274, + "startColumn": 19, + "endLine": 274, + "endColumn": 29 + } + }, + "message": { + "text": "parameter this : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java", + "index": 14 + }, + "region": { + "startLine": 275, + "startColumn": 16, + "endLine": 275, + "endColumn": 23 + } + }, + "message": { + "text": "summary : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java", + "index": 14 + }, + "region": { + "startLine": 905, + "startColumn": 23, + "endLine": 905, + "endColumn": 35 + } + }, + "message": { + "text": "getSummary(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java", + "index": 14 + }, + "region": { + "startLine": 943, + "startColumn": 27, + "endLine": 943, + "endColumn": 37 + } + }, + "message": { + "text": "str : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java", + "index": 14 + }, + "region": { + "startLine": 960, + "startColumn": 59, + "endLine": 960, + "endColumn": 62 + } + }, + "message": { + "text": "ret : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java", + "index": 23 + }, + "region": { + "startLine": 65, + "startColumn": 45, + "endLine": 65, + "endColumn": 55 + } + }, + "message": { + "text": "str : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java", + "index": 23 + }, + "region": { + "startLine": 66, + "startColumn": 38, + "endLine": 66, + "endColumn": 41 + } + }, + "message": { + "text": "str : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java", + "index": 20 + }, + "region": { + "startLine": 41, + "startColumn": 38, + "endLine": 41, + "endColumn": 48 + } + }, + "message": { + "text": "str : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java", + "index": 20 + }, + "region": { + "startLine": 52, + "startColumn": 31, + "endLine": 52, + "endColumn": 34 + } + }, + "message": { + "text": "str : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java", + "index": 20 + }, + "region": { + "startLine": 61, + "startColumn": 41, + "endLine": 61, + "endColumn": 51 + } + }, + "message": { + "text": "str : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java", + "index": 20 + }, + "region": { + "startLine": 62, + "startColumn": 52, + "endLine": 62, + "endColumn": 55 + } + }, + "message": { + "text": "str" + } + } + } + ] + } + ] + }, + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java", + "index": 21 + }, + "region": { + "startLine": 75, + "startColumn": 25, + "endLine": 75, + "endColumn": 30 + } + }, + "message": { + "text": "entry : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java", + "index": 21 + }, + "region": { + "startLine": 323, + "startColumn": 16, + "endLine": 323, + "endColumn": 21 + } + }, + "message": { + "text": "entry : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java", + "index": 21 + }, + "region": { + "startLine": 387, + "startColumn": 53, + "endLine": 387, + "endColumn": 63 + } + }, + "message": { + "text": "getEntry(...) : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java", + "index": 22 + }, + "region": { + "startLine": 58, + "startColumn": 22, + "endLine": 58, + "endColumn": 40 + } + }, + "message": { + "text": "tEntry : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java", + "index": 22 + }, + "region": { + "startLine": 89, + "startColumn": 21, + "endLine": 89, + "endColumn": 27 + } + }, + "message": { + "text": "tEntry : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java", + "index": 22 + }, + "region": { + "startLine": 89, + "startColumn": 13, + "endLine": 89, + "endColumn": 18 + } + }, + "message": { + "text": "this <.field> [post update] : Trackback [entry] : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java", + "index": 22 + }, + "region": { + "startLine": 58, + "startColumn": 12, + "endLine": 58, + "endColumn": 21 + } + }, + "message": { + "text": "parameter this [Return] : Trackback [entry] : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java", + "index": 21 + }, + "region": { + "startLine": 387, + "startColumn": 39, + "endLine": 388, + "endColumn": 43 + } + }, + "message": { + "text": "new Trackback(...) : Trackback [entry] : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java", + "index": 21 + }, + "region": { + "startLine": 389, + "startColumn": 27, + "endLine": 389, + "endColumn": 36 + } + }, + "message": { + "text": "trackback : Trackback [entry] : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java", + "index": 22 + }, + "region": { + "startLine": 100, + "startColumn": 27, + "endLine": 100, + "endColumn": 31 + } + }, + "message": { + "text": "parameter this : Trackback [entry] : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java", + "index": 22 + }, + "region": { + "startLine": 108, + "startColumn": 65, + "endLine": 108, + "endColumn": 70 + } + }, + "message": { + "text": "this <.field> : Trackback [entry] : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java", + "index": 22 + }, + "region": { + "startLine": 108, + "startColumn": 65, + "endLine": 108, + "endColumn": 70 + } + }, + "message": { + "text": "entry : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java", + "index": 14 + }, + "region": { + "startLine": 1018, + "startColumn": 19, + "endLine": 1018, + "endColumn": 36 + } + }, + "message": { + "text": "parameter this : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java", + "index": 14 + }, + "region": { + "startLine": 1019, + "startColumn": 16, + "endLine": 1019, + "endColumn": 36 + } + }, + "message": { + "text": "this <.method> : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java", + "index": 14 + }, + "region": { + "startLine": 980, + "startColumn": 19, + "endLine": 980, + "endColumn": 33 + } + }, + "message": { + "text": "parameter this : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java", + "index": 14 + }, + "region": { + "startLine": 1007, + "startColumn": 34, + "endLine": 1007, + "endColumn": 38 + } + }, + "message": { + "text": "this : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java", + "index": 14 + }, + "region": { + "startLine": 897, + "startColumn": 19, + "endLine": 897, + "endColumn": 37 + } + }, + "message": { + "text": "parameter this : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java", + "index": 14 + }, + "region": { + "startLine": 898, + "startColumn": 23, + "endLine": 898, + "endColumn": 32 + } + }, + "message": { + "text": "this <.method> : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java", + "index": 14 + }, + "region": { + "startLine": 302, + "startColumn": 19, + "endLine": 302, + "endColumn": 26 + } + }, + "message": { + "text": "parameter this : WeblogEntry" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java", + "index": 14 + }, + "region": { + "startLine": 303, + "startColumn": 16, + "endLine": 303, + "endColumn": 25 + } + }, + "message": { + "text": "this.text : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java", + "index": 14 + }, + "region": { + "startLine": 898, + "startColumn": 23, + "endLine": 898, + "endColumn": 32 + } + }, + "message": { + "text": "getText(...) : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java", + "index": 14 + }, + "region": { + "startLine": 943, + "startColumn": 27, + "endLine": 943, + "endColumn": 37 + } + }, + "message": { + "text": "str : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java", + "index": 14 + }, + "region": { + "startLine": 960, + "startColumn": 59, + "endLine": 960, + "endColumn": 62 + } + }, + "message": { + "text": "ret : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java", + "index": 23 + }, + "region": { + "startLine": 65, + "startColumn": 45, + "endLine": 65, + "endColumn": 55 + } + }, + "message": { + "text": "str : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java", + "index": 23 + }, + "region": { + "startLine": 66, + "startColumn": 38, + "endLine": 66, + "endColumn": 41 + } + }, + "message": { + "text": "str : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java", + "index": 20 + }, + "region": { + "startLine": 41, + "startColumn": 38, + "endLine": 41, + "endColumn": 48 + } + }, + "message": { + "text": "str : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java", + "index": 20 + }, + "region": { + "startLine": 52, + "startColumn": 31, + "endLine": 52, + "endColumn": 34 + } + }, + "message": { + "text": "str : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java", + "index": 20 + }, + "region": { + "startLine": 61, + "startColumn": 41, + "endLine": 61, + "endColumn": 51 + } + }, + "message": { + "text": "str : String" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java", + "index": 20 + }, + "region": { + "startLine": 62, + "startColumn": 52, + "endLine": 62, + "endColumn": 55 + } + }, + "message": { + "text": "str" + } + } + } + ] + } + ] + } + ], + "relatedLocations": [ + { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java", + "index": 0 + }, + "region": { + "startLine": 38, + "startColumn": 33, + "endLine": 38, + "endColumn": 51 + } + }, + "message": { + "text": "regular expression" + } + }, + { + "id": 2, + "physicalLocation": { + "artifactLocation": { + "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java", + "index": 0 + }, + "region": { + "startLine": 75, + "startColumn": 25, + "endLine": 75, + "endColumn": 30 + } + }, + "message": { + "text": "user-provided value" + } + } + ], + "properties": { + "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/28", + "github/alertNumber": 28 + } + }, + { + "ruleId": "java/polynomial-redos", + "rule": { + "id": "java/polynomial-redos", + "index": 38, + "toolComponent": { + "index": 0 + } + }, + "message": { + "text": "This [regular expression](1) that depends on a [user-provided value](2) may run slow on strings starting with '' and with many repetitions of '
a'."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                  "index": 24
+                },
+                "region": {
+                  "startLine": 61,
+                  "startColumn": 51,
+                  "endLine": 61,
+                  "endColumn": 54
+                }
+              }
+            }
+          ],
+          "correlationGuid": "f9b0a3a9-8833-461c-93ec-3a12c3a72f91",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "80ff14788737bca8:1"
+          },
+          "codeFlows": [
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 25,
+                            "endLine": 75,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 323,
+                            "startColumn": 16,
+                            "endLine": 323,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 53,
+                            "endLine": 387,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "getEntry(...) : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 22,
+                            "endLine": 58,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 21,
+                            "endLine": 89,
+                            "endColumn": 27
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 13,
+                            "endLine": 89,
+                            "endColumn": 18
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> [post update] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 12,
+                            "endLine": 58,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this [Return] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 39,
+                            "endLine": 388,
+                            "endColumn": 43
+                          }
+                        },
+                        "message": {
+                          "text": "new Trackback(...) : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 389,
+                            "startColumn": 27,
+                            "endLine": 389,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "trackback : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 100,
+                            "startColumn": 27,
+                            "endLine": 100,
+                            "endColumn": 31
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1018,
+                            "startColumn": 19,
+                            "endLine": 1018,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1019,
+                            "startColumn": 16,
+                            "endLine": 1019,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 980,
+                            "startColumn": 19,
+                            "endLine": 980,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 988,
+                            "startColumn": 34,
+                            "endLine": 988,
+                            "endColumn": 38
+                          }
+                        },
+                        "message": {
+                          "text": "this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 897,
+                            "startColumn": 19,
+                            "endLine": 897,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 898,
+                            "startColumn": 23,
+                            "endLine": 898,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 302,
+                            "startColumn": 19,
+                            "endLine": 302,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 303,
+                            "startColumn": 16,
+                            "endLine": 303,
+                            "endColumn": 25
+                          }
+                        },
+                        "message": {
+                          "text": "this.text : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 898,
+                            "startColumn": 23,
+                            "endLine": 898,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "getText(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 943,
+                            "startColumn": 27,
+                            "endLine": 943,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 960,
+                            "startColumn": 59,
+                            "endLine": 960,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 57,
+                            "startColumn": 45,
+                            "endLine": 57,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 61,
+                            "startColumn": 51,
+                            "endLine": 61,
+                            "endColumn": 54
+                          }
+                        },
+                        "message": {
+                          "text": "str"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 25,
+                            "endLine": 75,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 323,
+                            "startColumn": 16,
+                            "endLine": 323,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 53,
+                            "endLine": 387,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "getEntry(...) : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 22,
+                            "endLine": 58,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 21,
+                            "endLine": 89,
+                            "endColumn": 27
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 13,
+                            "endLine": 89,
+                            "endColumn": 18
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> [post update] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 12,
+                            "endLine": 58,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this [Return] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 39,
+                            "endLine": 388,
+                            "endColumn": 43
+                          }
+                        },
+                        "message": {
+                          "text": "new Trackback(...) : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 389,
+                            "startColumn": 27,
+                            "endLine": 389,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "trackback : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 100,
+                            "startColumn": 27,
+                            "endLine": 100,
+                            "endColumn": 31
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1018,
+                            "startColumn": 19,
+                            "endLine": 1018,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1019,
+                            "startColumn": 16,
+                            "endLine": 1019,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 980,
+                            "startColumn": 19,
+                            "endLine": 980,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 996,
+                            "startColumn": 34,
+                            "endLine": 996,
+                            "endColumn": 38
+                          }
+                        },
+                        "message": {
+                          "text": "this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 904,
+                            "startColumn": 19,
+                            "endLine": 904,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 905,
+                            "startColumn": 23,
+                            "endLine": 905,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 274,
+                            "startColumn": 19,
+                            "endLine": 274,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 275,
+                            "startColumn": 16,
+                            "endLine": 275,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "summary : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 905,
+                            "startColumn": 23,
+                            "endLine": 905,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "getSummary(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 943,
+                            "startColumn": 27,
+                            "endLine": 943,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 960,
+                            "startColumn": 59,
+                            "endLine": 960,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 57,
+                            "startColumn": 45,
+                            "endLine": 57,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 61,
+                            "startColumn": 51,
+                            "endLine": 61,
+                            "endColumn": 54
+                          }
+                        },
+                        "message": {
+                          "text": "str"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 25,
+                            "endLine": 75,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 323,
+                            "startColumn": 16,
+                            "endLine": 323,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 53,
+                            "endLine": 387,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "getEntry(...) : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 22,
+                            "endLine": 58,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 21,
+                            "endLine": 89,
+                            "endColumn": 27
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 13,
+                            "endLine": 89,
+                            "endColumn": 18
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> [post update] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 12,
+                            "endLine": 58,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this [Return] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 39,
+                            "endLine": 388,
+                            "endColumn": 43
+                          }
+                        },
+                        "message": {
+                          "text": "new Trackback(...) : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 389,
+                            "startColumn": 27,
+                            "endLine": 389,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "trackback : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 100,
+                            "startColumn": 27,
+                            "endLine": 100,
+                            "endColumn": 31
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 107,
+                            "startColumn": 24,
+                            "endLine": 107,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 107,
+                            "startColumn": 24,
+                            "endLine": 107,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1018,
+                            "startColumn": 19,
+                            "endLine": 1018,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1019,
+                            "startColumn": 16,
+                            "endLine": 1019,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 980,
+                            "startColumn": 19,
+                            "endLine": 980,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 990,
+                            "startColumn": 34,
+                            "endLine": 990,
+                            "endColumn": 38
+                          }
+                        },
+                        "message": {
+                          "text": "this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 904,
+                            "startColumn": 19,
+                            "endLine": 904,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 905,
+                            "startColumn": 23,
+                            "endLine": 905,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 274,
+                            "startColumn": 19,
+                            "endLine": 274,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 275,
+                            "startColumn": 16,
+                            "endLine": 275,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "summary : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 905,
+                            "startColumn": 23,
+                            "endLine": 905,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "getSummary(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 943,
+                            "startColumn": 27,
+                            "endLine": 943,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 960,
+                            "startColumn": 59,
+                            "endLine": 960,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 57,
+                            "startColumn": 45,
+                            "endLine": 57,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 61,
+                            "startColumn": 51,
+                            "endLine": 61,
+                            "endColumn": 54
+                          }
+                        },
+                        "message": {
+                          "text": "str"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 25,
+                            "endLine": 75,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 323,
+                            "startColumn": 16,
+                            "endLine": 323,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 53,
+                            "endLine": 387,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "getEntry(...) : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 22,
+                            "endLine": 58,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 21,
+                            "endLine": 89,
+                            "endColumn": 27
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 13,
+                            "endLine": 89,
+                            "endColumn": 18
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> [post update] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 12,
+                            "endLine": 58,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this [Return] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 39,
+                            "endLine": 388,
+                            "endColumn": 43
+                          }
+                        },
+                        "message": {
+                          "text": "new Trackback(...) : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 389,
+                            "startColumn": 27,
+                            "endLine": 389,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "trackback : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 100,
+                            "startColumn": 27,
+                            "endLine": 100,
+                            "endColumn": 31
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1018,
+                            "startColumn": 19,
+                            "endLine": 1018,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1019,
+                            "startColumn": 16,
+                            "endLine": 1019,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 980,
+                            "startColumn": 19,
+                            "endLine": 980,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1007,
+                            "startColumn": 34,
+                            "endLine": 1007,
+                            "endColumn": 38
+                          }
+                        },
+                        "message": {
+                          "text": "this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 897,
+                            "startColumn": 19,
+                            "endLine": 897,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 898,
+                            "startColumn": 23,
+                            "endLine": 898,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 302,
+                            "startColumn": 19,
+                            "endLine": 302,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 303,
+                            "startColumn": 16,
+                            "endLine": 303,
+                            "endColumn": 25
+                          }
+                        },
+                        "message": {
+                          "text": "this.text : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 898,
+                            "startColumn": 23,
+                            "endLine": 898,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "getText(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 943,
+                            "startColumn": 27,
+                            "endLine": 943,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 960,
+                            "startColumn": 59,
+                            "endLine": 960,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 57,
+                            "startColumn": 45,
+                            "endLine": 57,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 61,
+                            "startColumn": 51,
+                            "endLine": 61,
+                            "endColumn": 54
+                          }
+                        },
+                        "message": {
+                          "text": "str"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 38,
+                  "startColumn": 22,
+                  "endLine": 38,
+                  "endColumn": 27
+                }
+              },
+              "message": {
+                "text": "regular expression"
+              }
+            },
+            {
+              "id": 2,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 75,
+                  "startColumn": 25,
+                  "endLine": 75,
+                  "endColumn": 30
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 3,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 38,
+                  "startColumn": 29,
+                  "endLine": 38,
+                  "endColumn": 32
+                }
+              },
+              "message": {
+                "text": "regular expression"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/29",
+            "github/alertNumber": 29
+          }
+        },
+        {
+          "ruleId": "java/polynomial-redos",
+          "rule": {
+            "id": "java/polynomial-redos",
+            "index": 38,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "message": {
+            "text": "This [regular expression](1) that depends on a [user-provided value](2) may run slow on strings starting with '' and with many repetitions of 'a'."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                  "index": 24
+                },
+                "region": {
+                  "startLine": 68,
+                  "startColumn": 57,
+                  "endLine": 68,
+                  "endColumn": 66
+                }
+              }
+            }
+          ],
+          "correlationGuid": "f9eb5f85-f753-42b1-8c6b-3bd3ef5db56e",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "6d309d833fb2b46b:1"
+          },
+          "codeFlows": [
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 25,
+                            "endLine": 75,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 323,
+                            "startColumn": 16,
+                            "endLine": 323,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 53,
+                            "endLine": 387,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "getEntry(...) : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 22,
+                            "endLine": 58,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 21,
+                            "endLine": 89,
+                            "endColumn": 27
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 13,
+                            "endLine": 89,
+                            "endColumn": 18
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> [post update] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 12,
+                            "endLine": 58,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this [Return] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 39,
+                            "endLine": 388,
+                            "endColumn": 43
+                          }
+                        },
+                        "message": {
+                          "text": "new Trackback(...) : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 389,
+                            "startColumn": 27,
+                            "endLine": 389,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "trackback : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 100,
+                            "startColumn": 27,
+                            "endLine": 100,
+                            "endColumn": 31
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1018,
+                            "startColumn": 19,
+                            "endLine": 1018,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1019,
+                            "startColumn": 16,
+                            "endLine": 1019,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 980,
+                            "startColumn": 19,
+                            "endLine": 980,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 988,
+                            "startColumn": 34,
+                            "endLine": 988,
+                            "endColumn": 38
+                          }
+                        },
+                        "message": {
+                          "text": "this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 897,
+                            "startColumn": 19,
+                            "endLine": 897,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 898,
+                            "startColumn": 23,
+                            "endLine": 898,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 302,
+                            "startColumn": 19,
+                            "endLine": 302,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 303,
+                            "startColumn": 16,
+                            "endLine": 303,
+                            "endColumn": 25
+                          }
+                        },
+                        "message": {
+                          "text": "this.text : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 898,
+                            "startColumn": 23,
+                            "endLine": 898,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "getText(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 943,
+                            "startColumn": 27,
+                            "endLine": 943,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 960,
+                            "startColumn": 59,
+                            "endLine": 960,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 57,
+                            "startColumn": 45,
+                            "endLine": 57,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 61,
+                            "startColumn": 51,
+                            "endLine": 61,
+                            "endColumn": 54
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 61,
+                            "startColumn": 31,
+                            "endLine": 61,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 32,
+                            "endLine": 66,
+                            "endColumn": 43
+                          }
+                        },
+                        "message": {
+                          "text": "pre_matcher : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 32,
+                            "endLine": 66,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 68,
+                            "startColumn": 57,
+                            "endLine": 68,
+                            "endColumn": 66
+                          }
+                        },
+                        "message": {
+                          "text": "pre_inner"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 25,
+                            "endLine": 75,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 323,
+                            "startColumn": 16,
+                            "endLine": 323,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 53,
+                            "endLine": 387,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "getEntry(...) : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 22,
+                            "endLine": 58,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 21,
+                            "endLine": 89,
+                            "endColumn": 27
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 13,
+                            "endLine": 89,
+                            "endColumn": 18
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> [post update] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 12,
+                            "endLine": 58,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this [Return] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 39,
+                            "endLine": 388,
+                            "endColumn": 43
+                          }
+                        },
+                        "message": {
+                          "text": "new Trackback(...) : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 389,
+                            "startColumn": 27,
+                            "endLine": 389,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "trackback : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 100,
+                            "startColumn": 27,
+                            "endLine": 100,
+                            "endColumn": 31
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1018,
+                            "startColumn": 19,
+                            "endLine": 1018,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1019,
+                            "startColumn": 16,
+                            "endLine": 1019,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 980,
+                            "startColumn": 19,
+                            "endLine": 980,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 996,
+                            "startColumn": 34,
+                            "endLine": 996,
+                            "endColumn": 38
+                          }
+                        },
+                        "message": {
+                          "text": "this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 904,
+                            "startColumn": 19,
+                            "endLine": 904,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 905,
+                            "startColumn": 23,
+                            "endLine": 905,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 274,
+                            "startColumn": 19,
+                            "endLine": 274,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 275,
+                            "startColumn": 16,
+                            "endLine": 275,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "summary : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 905,
+                            "startColumn": 23,
+                            "endLine": 905,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "getSummary(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 943,
+                            "startColumn": 27,
+                            "endLine": 943,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 960,
+                            "startColumn": 59,
+                            "endLine": 960,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 57,
+                            "startColumn": 45,
+                            "endLine": 57,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 61,
+                            "startColumn": 51,
+                            "endLine": 61,
+                            "endColumn": 54
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 61,
+                            "startColumn": 31,
+                            "endLine": 61,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 32,
+                            "endLine": 66,
+                            "endColumn": 43
+                          }
+                        },
+                        "message": {
+                          "text": "pre_matcher : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 32,
+                            "endLine": 66,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 68,
+                            "startColumn": 57,
+                            "endLine": 68,
+                            "endColumn": 66
+                          }
+                        },
+                        "message": {
+                          "text": "pre_inner"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 25,
+                            "endLine": 75,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 323,
+                            "startColumn": 16,
+                            "endLine": 323,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 53,
+                            "endLine": 387,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "getEntry(...) : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 22,
+                            "endLine": 58,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 21,
+                            "endLine": 89,
+                            "endColumn": 27
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 13,
+                            "endLine": 89,
+                            "endColumn": 18
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> [post update] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 12,
+                            "endLine": 58,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this [Return] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 39,
+                            "endLine": 388,
+                            "endColumn": 43
+                          }
+                        },
+                        "message": {
+                          "text": "new Trackback(...) : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 389,
+                            "startColumn": 27,
+                            "endLine": 389,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "trackback : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 100,
+                            "startColumn": 27,
+                            "endLine": 100,
+                            "endColumn": 31
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 107,
+                            "startColumn": 24,
+                            "endLine": 107,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 107,
+                            "startColumn": 24,
+                            "endLine": 107,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1018,
+                            "startColumn": 19,
+                            "endLine": 1018,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1019,
+                            "startColumn": 16,
+                            "endLine": 1019,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 980,
+                            "startColumn": 19,
+                            "endLine": 980,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 990,
+                            "startColumn": 34,
+                            "endLine": 990,
+                            "endColumn": 38
+                          }
+                        },
+                        "message": {
+                          "text": "this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 904,
+                            "startColumn": 19,
+                            "endLine": 904,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 905,
+                            "startColumn": 23,
+                            "endLine": 905,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 274,
+                            "startColumn": 19,
+                            "endLine": 274,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 275,
+                            "startColumn": 16,
+                            "endLine": 275,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "summary : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 905,
+                            "startColumn": 23,
+                            "endLine": 905,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "getSummary(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 943,
+                            "startColumn": 27,
+                            "endLine": 943,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 960,
+                            "startColumn": 59,
+                            "endLine": 960,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 57,
+                            "startColumn": 45,
+                            "endLine": 57,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 61,
+                            "startColumn": 51,
+                            "endLine": 61,
+                            "endColumn": 54
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 61,
+                            "startColumn": 31,
+                            "endLine": 61,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 32,
+                            "endLine": 66,
+                            "endColumn": 43
+                          }
+                        },
+                        "message": {
+                          "text": "pre_matcher : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 32,
+                            "endLine": 66,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 68,
+                            "startColumn": 57,
+                            "endLine": 68,
+                            "endColumn": 66
+                          }
+                        },
+                        "message": {
+                          "text": "pre_inner"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 25,
+                            "endLine": 75,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 323,
+                            "startColumn": 16,
+                            "endLine": 323,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 53,
+                            "endLine": 387,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "getEntry(...) : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 22,
+                            "endLine": 58,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 21,
+                            "endLine": 89,
+                            "endColumn": 27
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 13,
+                            "endLine": 89,
+                            "endColumn": 18
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> [post update] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 12,
+                            "endLine": 58,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this [Return] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 39,
+                            "endLine": 388,
+                            "endColumn": 43
+                          }
+                        },
+                        "message": {
+                          "text": "new Trackback(...) : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 389,
+                            "startColumn": 27,
+                            "endLine": 389,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "trackback : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 100,
+                            "startColumn": 27,
+                            "endLine": 100,
+                            "endColumn": 31
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1018,
+                            "startColumn": 19,
+                            "endLine": 1018,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1019,
+                            "startColumn": 16,
+                            "endLine": 1019,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 980,
+                            "startColumn": 19,
+                            "endLine": 980,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1007,
+                            "startColumn": 34,
+                            "endLine": 1007,
+                            "endColumn": 38
+                          }
+                        },
+                        "message": {
+                          "text": "this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 897,
+                            "startColumn": 19,
+                            "endLine": 897,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 898,
+                            "startColumn": 23,
+                            "endLine": 898,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 302,
+                            "startColumn": 19,
+                            "endLine": 302,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 303,
+                            "startColumn": 16,
+                            "endLine": 303,
+                            "endColumn": 25
+                          }
+                        },
+                        "message": {
+                          "text": "this.text : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 898,
+                            "startColumn": 23,
+                            "endLine": 898,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "getText(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 943,
+                            "startColumn": 27,
+                            "endLine": 943,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 960,
+                            "startColumn": 59,
+                            "endLine": 960,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 57,
+                            "startColumn": 45,
+                            "endLine": 57,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 61,
+                            "startColumn": 51,
+                            "endLine": 61,
+                            "endColumn": 54
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 61,
+                            "startColumn": 31,
+                            "endLine": 61,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 32,
+                            "endLine": 66,
+                            "endColumn": 43
+                          }
+                        },
+                        "message": {
+                          "text": "pre_matcher : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 32,
+                            "endLine": 66,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 68,
+                            "startColumn": 57,
+                            "endLine": 68,
+                            "endColumn": 66
+                          }
+                        },
+                        "message": {
+                          "text": "pre_inner"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 41,
+                  "startColumn": 24,
+                  "endLine": 41,
+                  "endColumn": 29
+                }
+              },
+              "message": {
+                "text": "regular expression"
+              }
+            },
+            {
+              "id": 2,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 75,
+                  "startColumn": 25,
+                  "endLine": 75,
+                  "endColumn": 30
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 3,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 41,
+                  "startColumn": 31,
+                  "endLine": 41,
+                  "endColumn": 34
+                }
+              },
+              "message": {
+                "text": "regular expression"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/30",
+            "github/alertNumber": 30
+          }
+        },
+        {
+          "ruleId": "java/polynomial-redos",
+          "rule": {
+            "id": "java/polynomial-redos",
+            "index": 38,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "message": {
+            "text": "This [regular expression](1) that depends on a [user-provided value](2) may run slow on strings starting with '] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 428,
+                            "startColumn": 16,
+                            "endLine": 428,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 31,
+                            "endLine": 127,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "tokenize(...) : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 130,
+                            "startColumn": 29,
+                            "endLine": 130,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 60,
+                            "endLine": 133,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "token"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                            "index": 4
+                          },
+                          "region": {
+                            "startLine": 45,
+                            "startColumn": 25,
+                            "endLine": 45,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "bean : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                            "index": 4
+                          },
+                          "region": {
+                            "startLine": 184,
+                            "startColumn": 16,
+                            "endLine": 184,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "bean : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                            "index": 4
+                          },
+                          "region": {
+                            "startLine": 78,
+                            "startColumn": 13,
+                            "endLine": 78,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "getBean(...) : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                            "index": 5
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 17,
+                            "endLine": 134,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                            "index": 5
+                          },
+                          "region": {
+                            "startLine": 136,
+                            "startColumn": 34,
+                            "endLine": 136,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "this.screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 142,
+                            "startColumn": 32,
+                            "endLine": 142,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 143,
+                            "startColumn": 64,
+                            "endLine": 143,
+                            "endColumn": 74
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 48,
+                            "endLine": 94,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 42,
+                            "endLine": 97,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 90,
+                            "startColumn": 35,
+                            "endLine": 90,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 91,
+                            "startColumn": 26,
+                            "endLine": 91,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 118,
+                            "startColumn": 44,
+                            "endLine": 118,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 26,
+                            "endLine": 119,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 122,
+                            "startColumn": 44,
+                            "endLine": 122,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 40,
+                            "endLine": 127,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 374,
+                            "startColumn": 42,
+                            "endLine": 374,
+                            "endColumn": 53
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 17,
+                            "endLine": 396,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "tokens [post update] : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 428,
+                            "startColumn": 16,
+                            "endLine": 428,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 31,
+                            "endLine": 127,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "tokenize(...) : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 130,
+                            "startColumn": 29,
+                            "endLine": 130,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 60,
+                            "endLine": 133,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "token"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java",
+                            "index": 6
+                          },
+                          "region": {
+                            "startLine": 68,
+                            "startColumn": 25,
+                            "endLine": 68,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "bean : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java",
+                            "index": 6
+                          },
+                          "region": {
+                            "startLine": 446,
+                            "startColumn": 16,
+                            "endLine": 446,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "bean : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java",
+                            "index": 6
+                          },
+                          "region": {
+                            "startLine": 196,
+                            "startColumn": 17,
+                            "endLine": 196,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "getBean(...) : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                            "index": 5
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 17,
+                            "endLine": 134,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                            "index": 5
+                          },
+                          "region": {
+                            "startLine": 136,
+                            "startColumn": 34,
+                            "endLine": 136,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "this.screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 142,
+                            "startColumn": 32,
+                            "endLine": 142,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 143,
+                            "startColumn": 64,
+                            "endLine": 143,
+                            "endColumn": 74
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 48,
+                            "endLine": 94,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 42,
+                            "endLine": 97,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 90,
+                            "startColumn": 35,
+                            "endLine": 90,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 91,
+                            "startColumn": 26,
+                            "endLine": 91,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 118,
+                            "startColumn": 44,
+                            "endLine": 118,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 26,
+                            "endLine": 119,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 122,
+                            "startColumn": 44,
+                            "endLine": 122,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 40,
+                            "endLine": 127,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 374,
+                            "startColumn": 42,
+                            "endLine": 374,
+                            "endColumn": 53
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 17,
+                            "endLine": 396,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "tokens [post update] : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 428,
+                            "startColumn": 16,
+                            "endLine": 428,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 31,
+                            "endLine": 127,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "tokenize(...) : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 130,
+                            "startColumn": 29,
+                            "endLine": 130,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 60,
+                            "endLine": 133,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "token"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkEdit.java",
+                            "index": 27
+                          },
+                          "region": {
+                            "startLine": 42,
+                            "startColumn": 26,
+                            "endLine": 42,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "bean : BookmarkBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkEdit.java",
+                            "index": 27
+                          },
+                          "region": {
+                            "startLine": 141,
+                            "startColumn": 16,
+                            "endLine": 141,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "bean : BookmarkBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkEdit.java",
+                            "index": 27
+                          },
+                          "region": {
+                            "startLine": 103,
+                            "startColumn": 17,
+                            "endLine": 103,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "getBean(...) : BookmarkBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkBean.java",
+                            "index": 28
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 17,
+                            "endLine": 86,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : BookmarkBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkBean.java",
+                            "index": 28
+                          },
+                          "region": {
+                            "startLine": 87,
+                            "startColumn": 28,
+                            "endLine": 87,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "this.name : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogBookmark.java",
+                            "index": 29
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 25,
+                            "endLine": 97,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "name : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogBookmark.java",
+                            "index": 29
+                          },
+                          "region": {
+                            "startLine": 98,
+                            "startColumn": 58,
+                            "endLine": 98,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "name : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 48,
+                            "endLine": 94,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 42,
+                            "endLine": 97,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 90,
+                            "startColumn": 35,
+                            "endLine": 90,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 91,
+                            "startColumn": 26,
+                            "endLine": 91,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 118,
+                            "startColumn": 44,
+                            "endLine": 118,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 26,
+                            "endLine": 119,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 122,
+                            "startColumn": 44,
+                            "endLine": 122,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 40,
+                            "endLine": 127,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 374,
+                            "startColumn": 42,
+                            "endLine": 374,
+                            "endColumn": 53
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 17,
+                            "endLine": 396,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "tokens [post update] : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 428,
+                            "startColumn": 16,
+                            "endLine": 428,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 31,
+                            "endLine": 127,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "tokenize(...) : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 130,
+                            "startColumn": 29,
+                            "endLine": 130,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 60,
+                            "endLine": 133,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "token"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 60,
+                  "startColumn": 88,
+                  "endLine": 60,
+                  "endColumn": 90
+                }
+              },
+              "message": {
+                "text": "regular expression"
+              }
+            },
+            {
+              "id": 2,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 54,
+                  "startColumn": 28,
+                  "endLine": 54,
+                  "endColumn": 32
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 3,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 45,
+                  "startColumn": 25,
+                  "endLine": 45,
+                  "endColumn": 29
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 4,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 68,
+                  "startColumn": 25,
+                  "endLine": 68,
+                  "endColumn": 29
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 5,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 42,
+                  "startColumn": 26,
+                  "endLine": 42,
+                  "endColumn": 30
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 6,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 75,
+                  "startColumn": 25,
+                  "endLine": 75,
+                  "endColumn": 30
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 7,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/FolderEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 46,
+                  "startColumn": 24,
+                  "endLine": 46,
+                  "endColumn": 28
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/31",
+            "github/alertNumber": 31
+          }
+        },
+        {
+          "ruleId": "java/polynomial-redos",
+          "rule": {
+            "id": "java/polynomial-redos",
+            "index": 38,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "message": {
+            "text": "This [regular expression](1) that depends on a [user-provided value](2) may run slow on strings with many repetitions of ' '.\nThis [regular expression](1) that depends on a [user-provided value](3) may run slow on strings with many repetitions of ' '.\nThis [regular expression](1) that depends on a [user-provided value](4) may run slow on strings with many repetitions of ' '.\nThis [regular expression](1) that depends on a [user-provided value](5) may run slow on strings with many repetitions of ' '.\nThis [regular expression](1) that depends on a [user-provided value](6) may run slow on strings with many repetitions of ' '.\nThis [regular expression](1) that depends on a [user-provided value](7) may run slow on strings with many repetitions of ' '."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                  "index": 25
+                },
+                "region": {
+                  "startLine": 179,
+                  "startColumn": 68,
+                  "endLine": 179,
+                  "endColumn": 77
+                }
+              }
+            }
+          ],
+          "correlationGuid": "0068dc73-44a6-456e-83a7-5fe04b5899e9",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "f7eba83359081407:1"
+          },
+          "codeFlows": [
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                            "index": 3
+                          },
+                          "region": {
+                            "startLine": 54,
+                            "startColumn": 28,
+                            "endLine": 54,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "bean : CreateUserBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                            "index": 3
+                          },
+                          "region": {
+                            "startLine": 263,
+                            "startColumn": 16,
+                            "endLine": 263,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "bean : CreateUserBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                            "index": 3
+                          },
+                          "region": {
+                            "startLine": 143,
+                            "startColumn": 13,
+                            "endLine": 143,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "getBean(...) : CreateUserBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/CreateUserBean.java",
+                            "index": 26
+                          },
+                          "region": {
+                            "startLine": 154,
+                            "startColumn": 17,
+                            "endLine": 154,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : CreateUserBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/CreateUserBean.java",
+                            "index": 26
+                          },
+                          "region": {
+                            "startLine": 156,
+                            "startColumn": 34,
+                            "endLine": 156,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "this.screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 142,
+                            "startColumn": 32,
+                            "endLine": 142,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 143,
+                            "startColumn": 64,
+                            "endLine": 143,
+                            "endColumn": 74
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 48,
+                            "endLine": 94,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 42,
+                            "endLine": 97,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 90,
+                            "startColumn": 35,
+                            "endLine": 90,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 91,
+                            "startColumn": 26,
+                            "endLine": 91,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 118,
+                            "startColumn": 44,
+                            "endLine": 118,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 26,
+                            "endLine": 119,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 122,
+                            "startColumn": 44,
+                            "endLine": 122,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 40,
+                            "endLine": 127,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 374,
+                            "startColumn": 42,
+                            "endLine": 374,
+                            "endColumn": 53
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 17,
+                            "endLine": 396,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "tokens [post update] : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 428,
+                            "startColumn": 16,
+                            "endLine": 428,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 31,
+                            "endLine": 127,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "tokenize(...) : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 130,
+                            "startColumn": 29,
+                            "endLine": 130,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 60,
+                            "endLine": 133,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "token : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 36,
+                            "endLine": 133,
+                            "endColumn": 66
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 162,
+                            "startColumn": 40,
+                            "endLine": 162,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "startMatcher : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 162,
+                            "startColumn": 40,
+                            "endLine": 162,
+                            "endColumn": 61
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 179,
+                            "startColumn": 68,
+                            "endLine": 179,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "tokenBody"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                            "index": 4
+                          },
+                          "region": {
+                            "startLine": 45,
+                            "startColumn": 25,
+                            "endLine": 45,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "bean : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                            "index": 4
+                          },
+                          "region": {
+                            "startLine": 184,
+                            "startColumn": 16,
+                            "endLine": 184,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "bean : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                            "index": 4
+                          },
+                          "region": {
+                            "startLine": 78,
+                            "startColumn": 13,
+                            "endLine": 78,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "getBean(...) : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                            "index": 5
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 17,
+                            "endLine": 134,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                            "index": 5
+                          },
+                          "region": {
+                            "startLine": 136,
+                            "startColumn": 34,
+                            "endLine": 136,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "this.screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 142,
+                            "startColumn": 32,
+                            "endLine": 142,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 143,
+                            "startColumn": 64,
+                            "endLine": 143,
+                            "endColumn": 74
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 48,
+                            "endLine": 94,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 42,
+                            "endLine": 97,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 90,
+                            "startColumn": 35,
+                            "endLine": 90,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 91,
+                            "startColumn": 26,
+                            "endLine": 91,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 118,
+                            "startColumn": 44,
+                            "endLine": 118,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 26,
+                            "endLine": 119,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 122,
+                            "startColumn": 44,
+                            "endLine": 122,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 40,
+                            "endLine": 127,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 374,
+                            "startColumn": 42,
+                            "endLine": 374,
+                            "endColumn": 53
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 17,
+                            "endLine": 396,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "tokens [post update] : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 428,
+                            "startColumn": 16,
+                            "endLine": 428,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 31,
+                            "endLine": 127,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "tokenize(...) : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 130,
+                            "startColumn": 29,
+                            "endLine": 130,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 60,
+                            "endLine": 133,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "token : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 36,
+                            "endLine": 133,
+                            "endColumn": 66
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 162,
+                            "startColumn": 40,
+                            "endLine": 162,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "startMatcher : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 162,
+                            "startColumn": 40,
+                            "endLine": 162,
+                            "endColumn": 61
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 179,
+                            "startColumn": 68,
+                            "endLine": 179,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "tokenBody"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java",
+                            "index": 6
+                          },
+                          "region": {
+                            "startLine": 68,
+                            "startColumn": 25,
+                            "endLine": 68,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "bean : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java",
+                            "index": 6
+                          },
+                          "region": {
+                            "startLine": 446,
+                            "startColumn": 16,
+                            "endLine": 446,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "bean : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java",
+                            "index": 6
+                          },
+                          "region": {
+                            "startLine": 196,
+                            "startColumn": 17,
+                            "endLine": 196,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "getBean(...) : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                            "index": 5
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 17,
+                            "endLine": 134,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                            "index": 5
+                          },
+                          "region": {
+                            "startLine": 136,
+                            "startColumn": 34,
+                            "endLine": 136,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "this.screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 142,
+                            "startColumn": 32,
+                            "endLine": 142,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 143,
+                            "startColumn": 64,
+                            "endLine": 143,
+                            "endColumn": 74
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 48,
+                            "endLine": 94,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 42,
+                            "endLine": 97,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 90,
+                            "startColumn": 35,
+                            "endLine": 90,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 91,
+                            "startColumn": 26,
+                            "endLine": 91,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 118,
+                            "startColumn": 44,
+                            "endLine": 118,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 26,
+                            "endLine": 119,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 122,
+                            "startColumn": 44,
+                            "endLine": 122,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 40,
+                            "endLine": 127,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 374,
+                            "startColumn": 42,
+                            "endLine": 374,
+                            "endColumn": 53
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 17,
+                            "endLine": 396,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "tokens [post update] : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 428,
+                            "startColumn": 16,
+                            "endLine": 428,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 31,
+                            "endLine": 127,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "tokenize(...) : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 130,
+                            "startColumn": 29,
+                            "endLine": 130,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 60,
+                            "endLine": 133,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "token : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 36,
+                            "endLine": 133,
+                            "endColumn": 66
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 162,
+                            "startColumn": 40,
+                            "endLine": 162,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "startMatcher : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 162,
+                            "startColumn": 40,
+                            "endLine": 162,
+                            "endColumn": 61
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 179,
+                            "startColumn": 68,
+                            "endLine": 179,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "tokenBody"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkEdit.java",
+                            "index": 27
+                          },
+                          "region": {
+                            "startLine": 42,
+                            "startColumn": 26,
+                            "endLine": 42,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "bean : BookmarkBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkEdit.java",
+                            "index": 27
+                          },
+                          "region": {
+                            "startLine": 141,
+                            "startColumn": 16,
+                            "endLine": 141,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "bean : BookmarkBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkEdit.java",
+                            "index": 27
+                          },
+                          "region": {
+                            "startLine": 103,
+                            "startColumn": 17,
+                            "endLine": 103,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "getBean(...) : BookmarkBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkBean.java",
+                            "index": 28
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 17,
+                            "endLine": 86,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : BookmarkBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkBean.java",
+                            "index": 28
+                          },
+                          "region": {
+                            "startLine": 87,
+                            "startColumn": 28,
+                            "endLine": 87,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "this.name : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogBookmark.java",
+                            "index": 29
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 25,
+                            "endLine": 97,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "name : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogBookmark.java",
+                            "index": 29
+                          },
+                          "region": {
+                            "startLine": 98,
+                            "startColumn": 58,
+                            "endLine": 98,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "name : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 48,
+                            "endLine": 94,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 42,
+                            "endLine": 97,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 90,
+                            "startColumn": 35,
+                            "endLine": 90,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 91,
+                            "startColumn": 26,
+                            "endLine": 91,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 118,
+                            "startColumn": 44,
+                            "endLine": 118,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 26,
+                            "endLine": 119,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 122,
+                            "startColumn": 44,
+                            "endLine": 122,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 40,
+                            "endLine": 127,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 374,
+                            "startColumn": 42,
+                            "endLine": 374,
+                            "endColumn": 53
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 17,
+                            "endLine": 396,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "tokens [post update] : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 428,
+                            "startColumn": 16,
+                            "endLine": 428,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 31,
+                            "endLine": 127,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "tokenize(...) : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 130,
+                            "startColumn": 29,
+                            "endLine": 130,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 60,
+                            "endLine": 133,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "token : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 36,
+                            "endLine": 133,
+                            "endColumn": 66
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 162,
+                            "startColumn": 40,
+                            "endLine": 162,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "startMatcher : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 162,
+                            "startColumn": 40,
+                            "endLine": 162,
+                            "endColumn": 61
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 179,
+                            "startColumn": 68,
+                            "endLine": 179,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "tokenBody"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 66,
+                  "startColumn": 77,
+                  "endLine": 66,
+                  "endColumn": 81
+                }
+              },
+              "message": {
+                "text": "regular expression"
+              }
+            },
+            {
+              "id": 2,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 54,
+                  "startColumn": 28,
+                  "endLine": 54,
+                  "endColumn": 32
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 3,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 45,
+                  "startColumn": 25,
+                  "endLine": 45,
+                  "endColumn": 29
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 4,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 68,
+                  "startColumn": 25,
+                  "endLine": 68,
+                  "endColumn": 29
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 5,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 42,
+                  "startColumn": 26,
+                  "endLine": 42,
+                  "endColumn": 30
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 6,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 75,
+                  "startColumn": 25,
+                  "endLine": 75,
+                  "endColumn": 30
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 7,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/FolderEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 46,
+                  "startColumn": 24,
+                  "endLine": 46,
+                  "endColumn": 28
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/32",
+            "github/alertNumber": 32
+          }
+        },
+        {
+          "ruleId": "java/polynomial-redos",
+          "rule": {
+            "id": "java/polynomial-redos",
+            "index": 38,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "message": {
+            "text": "This [regular expression](1) that depends on a [user-provided value](2) may run slow on strings with many repetitions of '!'.\nThis [regular expression](1) that depends on a [user-provided value](3) may run slow on strings with many repetitions of '!'.\nThis [regular expression](1) that depends on a [user-provided value](4) may run slow on strings with many repetitions of '!'.\nThis [regular expression](1) that depends on a [user-provided value](5) may run slow on strings with many repetitions of '!'.\nThis [regular expression](1) that depends on a [user-provided value](6) may run slow on strings with many repetitions of '!'.\nThis [regular expression](1) that depends on a [user-provided value](7) may run slow on strings with many repetitions of '!'."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                  "index": 25
+                },
+                "region": {
+                  "startLine": 235,
+                  "startColumn": 67,
+                  "endLine": 235,
+                  "endColumn": 70
+                }
+              }
+            }
+          ],
+          "correlationGuid": "b4530215-fde8-4f7d-8718-57bc4d310a08",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "f77ea2ce3b67490a:1"
+          },
+          "codeFlows": [
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                            "index": 3
+                          },
+                          "region": {
+                            "startLine": 54,
+                            "startColumn": 28,
+                            "endLine": 54,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "bean : CreateUserBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                            "index": 3
+                          },
+                          "region": {
+                            "startLine": 263,
+                            "startColumn": 16,
+                            "endLine": 263,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "bean : CreateUserBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                            "index": 3
+                          },
+                          "region": {
+                            "startLine": 143,
+                            "startColumn": 13,
+                            "endLine": 143,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "getBean(...) : CreateUserBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/CreateUserBean.java",
+                            "index": 26
+                          },
+                          "region": {
+                            "startLine": 154,
+                            "startColumn": 17,
+                            "endLine": 154,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : CreateUserBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/CreateUserBean.java",
+                            "index": 26
+                          },
+                          "region": {
+                            "startLine": 156,
+                            "startColumn": 34,
+                            "endLine": 156,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "this.screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 142,
+                            "startColumn": 32,
+                            "endLine": 142,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 143,
+                            "startColumn": 64,
+                            "endLine": 143,
+                            "endColumn": 74
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 48,
+                            "endLine": 94,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 42,
+                            "endLine": 97,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 90,
+                            "startColumn": 35,
+                            "endLine": 90,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 91,
+                            "startColumn": 26,
+                            "endLine": 91,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 118,
+                            "startColumn": 44,
+                            "endLine": 118,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 26,
+                            "endLine": 119,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 122,
+                            "startColumn": 44,
+                            "endLine": 122,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 40,
+                            "endLine": 127,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 374,
+                            "startColumn": 42,
+                            "endLine": 374,
+                            "endColumn": 53
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 17,
+                            "endLine": 396,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "tokens [post update] : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 428,
+                            "startColumn": 16,
+                            "endLine": 428,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 31,
+                            "endLine": 127,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "tokenize(...) : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 130,
+                            "startColumn": 29,
+                            "endLine": 130,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 60,
+                            "endLine": 133,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "token : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 36,
+                            "endLine": 133,
+                            "endColumn": 66
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 162,
+                            "startColumn": 40,
+                            "endLine": 162,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "startMatcher : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 162,
+                            "startColumn": 40,
+                            "endLine": 162,
+                            "endColumn": 61
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 179,
+                            "startColumn": 68,
+                            "endLine": 179,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "tokenBody : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 179,
+                            "startColumn": 42,
+                            "endLine": 179,
+                            "endColumn": 78
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 186,
+                            "startColumn": 38,
+                            "endLine": 186,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "attributes : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 186,
+                            "startColumn": 38,
+                            "endLine": 186,
+                            "endColumn": 57
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 235,
+                            "startColumn": 67,
+                            "endLine": 235,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "val"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                            "index": 4
+                          },
+                          "region": {
+                            "startLine": 45,
+                            "startColumn": 25,
+                            "endLine": 45,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "bean : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                            "index": 4
+                          },
+                          "region": {
+                            "startLine": 184,
+                            "startColumn": 16,
+                            "endLine": 184,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "bean : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                            "index": 4
+                          },
+                          "region": {
+                            "startLine": 78,
+                            "startColumn": 13,
+                            "endLine": 78,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "getBean(...) : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                            "index": 5
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 17,
+                            "endLine": 134,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                            "index": 5
+                          },
+                          "region": {
+                            "startLine": 136,
+                            "startColumn": 34,
+                            "endLine": 136,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "this.screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 142,
+                            "startColumn": 32,
+                            "endLine": 142,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 143,
+                            "startColumn": 64,
+                            "endLine": 143,
+                            "endColumn": 74
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 48,
+                            "endLine": 94,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 42,
+                            "endLine": 97,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 90,
+                            "startColumn": 35,
+                            "endLine": 90,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 91,
+                            "startColumn": 26,
+                            "endLine": 91,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 118,
+                            "startColumn": 44,
+                            "endLine": 118,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 26,
+                            "endLine": 119,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 122,
+                            "startColumn": 44,
+                            "endLine": 122,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 40,
+                            "endLine": 127,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 374,
+                            "startColumn": 42,
+                            "endLine": 374,
+                            "endColumn": 53
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 17,
+                            "endLine": 396,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "tokens [post update] : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 428,
+                            "startColumn": 16,
+                            "endLine": 428,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 31,
+                            "endLine": 127,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "tokenize(...) : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 130,
+                            "startColumn": 29,
+                            "endLine": 130,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 60,
+                            "endLine": 133,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "token : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 36,
+                            "endLine": 133,
+                            "endColumn": 66
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 162,
+                            "startColumn": 40,
+                            "endLine": 162,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "startMatcher : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 162,
+                            "startColumn": 40,
+                            "endLine": 162,
+                            "endColumn": 61
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 179,
+                            "startColumn": 68,
+                            "endLine": 179,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "tokenBody : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 179,
+                            "startColumn": 42,
+                            "endLine": 179,
+                            "endColumn": 78
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 186,
+                            "startColumn": 38,
+                            "endLine": 186,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "attributes : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 186,
+                            "startColumn": 38,
+                            "endLine": 186,
+                            "endColumn": 57
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 235,
+                            "startColumn": 67,
+                            "endLine": 235,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "val"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java",
+                            "index": 6
+                          },
+                          "region": {
+                            "startLine": 68,
+                            "startColumn": 25,
+                            "endLine": 68,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "bean : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java",
+                            "index": 6
+                          },
+                          "region": {
+                            "startLine": 446,
+                            "startColumn": 16,
+                            "endLine": 446,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "bean : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java",
+                            "index": 6
+                          },
+                          "region": {
+                            "startLine": 196,
+                            "startColumn": 17,
+                            "endLine": 196,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "getBean(...) : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                            "index": 5
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 17,
+                            "endLine": 134,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                            "index": 5
+                          },
+                          "region": {
+                            "startLine": 136,
+                            "startColumn": 34,
+                            "endLine": 136,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "this.screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 142,
+                            "startColumn": 32,
+                            "endLine": 142,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 143,
+                            "startColumn": 64,
+                            "endLine": 143,
+                            "endColumn": 74
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 48,
+                            "endLine": 94,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 42,
+                            "endLine": 97,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 90,
+                            "startColumn": 35,
+                            "endLine": 90,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 91,
+                            "startColumn": 26,
+                            "endLine": 91,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 118,
+                            "startColumn": 44,
+                            "endLine": 118,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 26,
+                            "endLine": 119,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 122,
+                            "startColumn": 44,
+                            "endLine": 122,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 40,
+                            "endLine": 127,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 374,
+                            "startColumn": 42,
+                            "endLine": 374,
+                            "endColumn": 53
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 17,
+                            "endLine": 396,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "tokens [post update] : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 428,
+                            "startColumn": 16,
+                            "endLine": 428,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 31,
+                            "endLine": 127,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "tokenize(...) : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 130,
+                            "startColumn": 29,
+                            "endLine": 130,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 60,
+                            "endLine": 133,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "token : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 36,
+                            "endLine": 133,
+                            "endColumn": 66
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 162,
+                            "startColumn": 40,
+                            "endLine": 162,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "startMatcher : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 162,
+                            "startColumn": 40,
+                            "endLine": 162,
+                            "endColumn": 61
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 179,
+                            "startColumn": 68,
+                            "endLine": 179,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "tokenBody : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 179,
+                            "startColumn": 42,
+                            "endLine": 179,
+                            "endColumn": 78
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 186,
+                            "startColumn": 38,
+                            "endLine": 186,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "attributes : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 186,
+                            "startColumn": 38,
+                            "endLine": 186,
+                            "endColumn": 57
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 235,
+                            "startColumn": 67,
+                            "endLine": 235,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "val"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkEdit.java",
+                            "index": 27
+                          },
+                          "region": {
+                            "startLine": 42,
+                            "startColumn": 26,
+                            "endLine": 42,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "bean : BookmarkBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkEdit.java",
+                            "index": 27
+                          },
+                          "region": {
+                            "startLine": 141,
+                            "startColumn": 16,
+                            "endLine": 141,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "bean : BookmarkBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkEdit.java",
+                            "index": 27
+                          },
+                          "region": {
+                            "startLine": 103,
+                            "startColumn": 17,
+                            "endLine": 103,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "getBean(...) : BookmarkBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkBean.java",
+                            "index": 28
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 17,
+                            "endLine": 86,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : BookmarkBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkBean.java",
+                            "index": 28
+                          },
+                          "region": {
+                            "startLine": 87,
+                            "startColumn": 28,
+                            "endLine": 87,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "this.name : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogBookmark.java",
+                            "index": 29
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 25,
+                            "endLine": 97,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "name : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogBookmark.java",
+                            "index": 29
+                          },
+                          "region": {
+                            "startLine": 98,
+                            "startColumn": 58,
+                            "endLine": 98,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "name : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 48,
+                            "endLine": 94,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 42,
+                            "endLine": 97,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 90,
+                            "startColumn": 35,
+                            "endLine": 90,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 91,
+                            "startColumn": 26,
+                            "endLine": 91,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 118,
+                            "startColumn": 44,
+                            "endLine": 118,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 26,
+                            "endLine": 119,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 122,
+                            "startColumn": 44,
+                            "endLine": 122,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 40,
+                            "endLine": 127,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 374,
+                            "startColumn": 42,
+                            "endLine": 374,
+                            "endColumn": 53
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 17,
+                            "endLine": 396,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "tokens [post update] : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 428,
+                            "startColumn": 16,
+                            "endLine": 428,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 31,
+                            "endLine": 127,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "tokenize(...) : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 130,
+                            "startColumn": 29,
+                            "endLine": 130,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 60,
+                            "endLine": 133,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "token : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 36,
+                            "endLine": 133,
+                            "endColumn": 66
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 162,
+                            "startColumn": 40,
+                            "endLine": 162,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "startMatcher : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 162,
+                            "startColumn": 40,
+                            "endLine": 162,
+                            "endColumn": 61
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 179,
+                            "startColumn": 68,
+                            "endLine": 179,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "tokenBody : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 179,
+                            "startColumn": 42,
+                            "endLine": 179,
+                            "endColumn": 78
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 186,
+                            "startColumn": 38,
+                            "endLine": 186,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "attributes : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 186,
+                            "startColumn": 38,
+                            "endLine": 186,
+                            "endColumn": 57
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 235,
+                            "startColumn": 67,
+                            "endLine": 235,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "val"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 68,
+                  "startColumn": 67,
+                  "endLine": 68,
+                  "endColumn": 76
+                }
+              },
+              "message": {
+                "text": "regular expression"
+              }
+            },
+            {
+              "id": 2,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 54,
+                  "startColumn": 28,
+                  "endLine": 54,
+                  "endColumn": 32
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 3,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 45,
+                  "startColumn": 25,
+                  "endLine": 45,
+                  "endColumn": 29
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 4,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 68,
+                  "startColumn": 25,
+                  "endLine": 68,
+                  "endColumn": 29
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 5,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 42,
+                  "startColumn": 26,
+                  "endLine": 42,
+                  "endColumn": 30
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 6,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 75,
+                  "startColumn": 25,
+                  "endLine": 75,
+                  "endColumn": 30
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 7,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/FolderEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 46,
+                  "startColumn": 24,
+                  "endLine": 46,
+                  "endColumn": 28
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/33",
+            "github/alertNumber": 33
+          }
+        },
+        {
+          "ruleId": "java/polynomial-redos",
+          "rule": {
+            "id": "java/polynomial-redos",
+            "index": 38,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "message": {
+            "text": "This [regular expression](1) that depends on a [user-provided value](2) may run slow on strings with many repetitions of 'a'.\nThis [regular expression](3) that depends on a [user-provided value](2) may run slow on strings starting with 'burl(\"' and with many repetitions of 'burl(\"('.\nThis [regular expression](1) that depends on a [user-provided value](4) may run slow on strings with many repetitions of 'a'.\nThis [regular expression](3) that depends on a [user-provided value](4) may run slow on strings starting with 'burl(\"' and with many repetitions of 'burl(\"('.\nThis [regular expression](1) that depends on a [user-provided value](5) may run slow on strings with many repetitions of 'a'.\nThis [regular expression](3) that depends on a [user-provided value](5) may run slow on strings starting with 'burl(\"' and with many repetitions of 'burl(\"('.\nThis [regular expression](1) that depends on a [user-provided value](6) may run slow on strings with many repetitions of 'a'.\nThis [regular expression](3) that depends on a [user-provided value](6) may run slow on strings starting with 'burl(\"' and with many repetitions of 'burl(\"('.\nThis [regular expression](1) that depends on a [user-provided value](7) may run slow on strings with many repetitions of 'a'.\nThis [regular expression](3) that depends on a [user-provided value](7) may run slow on strings starting with 'burl(\"' and with many repetitions of 'burl(\"('.\nThis [regular expression](1) that depends on a [user-provided value](8) may run slow on strings with many repetitions of 'a'.\nThis [regular expression](3) that depends on a [user-provided value](8) may run slow on strings starting with 'burl(\"' and with many repetitions of 'burl(\"('."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                  "index": 25
+                },
+                "region": {
+                  "startLine": 249,
+                  "startColumn": 83,
+                  "endLine": 249,
+                  "endColumn": 93
+                }
+              }
+            }
+          ],
+          "correlationGuid": "ebd7d4fc-18fe-4894-ad98-05b92939b9a6",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "d2f751956bb0d070:1"
+          },
+          "codeFlows": [
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                            "index": 3
+                          },
+                          "region": {
+                            "startLine": 54,
+                            "startColumn": 28,
+                            "endLine": 54,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "bean : CreateUserBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                            "index": 3
+                          },
+                          "region": {
+                            "startLine": 263,
+                            "startColumn": 16,
+                            "endLine": 263,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "bean : CreateUserBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                            "index": 3
+                          },
+                          "region": {
+                            "startLine": 143,
+                            "startColumn": 13,
+                            "endLine": 143,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "getBean(...) : CreateUserBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/CreateUserBean.java",
+                            "index": 26
+                          },
+                          "region": {
+                            "startLine": 154,
+                            "startColumn": 17,
+                            "endLine": 154,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : CreateUserBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/CreateUserBean.java",
+                            "index": 26
+                          },
+                          "region": {
+                            "startLine": 156,
+                            "startColumn": 34,
+                            "endLine": 156,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "this.screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 142,
+                            "startColumn": 32,
+                            "endLine": 142,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 143,
+                            "startColumn": 64,
+                            "endLine": 143,
+                            "endColumn": 74
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 48,
+                            "endLine": 94,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 42,
+                            "endLine": 97,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 90,
+                            "startColumn": 35,
+                            "endLine": 90,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 91,
+                            "startColumn": 26,
+                            "endLine": 91,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 118,
+                            "startColumn": 44,
+                            "endLine": 118,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 26,
+                            "endLine": 119,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 122,
+                            "startColumn": 44,
+                            "endLine": 122,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 40,
+                            "endLine": 127,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 374,
+                            "startColumn": 42,
+                            "endLine": 374,
+                            "endColumn": 53
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 17,
+                            "endLine": 396,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "tokens [post update] : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 428,
+                            "startColumn": 16,
+                            "endLine": 428,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 31,
+                            "endLine": 127,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "tokenize(...) : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 130,
+                            "startColumn": 29,
+                            "endLine": 130,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 60,
+                            "endLine": 133,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "token : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 36,
+                            "endLine": 133,
+                            "endColumn": 66
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 162,
+                            "startColumn": 40,
+                            "endLine": 162,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "startMatcher : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 162,
+                            "startColumn": 40,
+                            "endLine": 162,
+                            "endColumn": 61
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 179,
+                            "startColumn": 68,
+                            "endLine": 179,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "tokenBody : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 179,
+                            "startColumn": 42,
+                            "endLine": 179,
+                            "endColumn": 78
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 186,
+                            "startColumn": 38,
+                            "endLine": 186,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "attributes : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 186,
+                            "startColumn": 38,
+                            "endLine": 186,
+                            "endColumn": 57
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 235,
+                            "startColumn": 67,
+                            "endLine": 235,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "val : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 235,
+                            "startColumn": 46,
+                            "endLine": 235,
+                            "endColumn": 71
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 240,
+                            "startColumn": 53,
+                            "endLine": 240,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "styles : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 240,
+                            "startColumn": 53,
+                            "endLine": 240,
+                            "endColumn": 68
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 249,
+                            "startColumn": 83,
+                            "endLine": 249,
+                            "endColumn": 93
+                          }
+                        },
+                        "message": {
+                          "text": "styleValue"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                            "index": 3
+                          },
+                          "region": {
+                            "startLine": 54,
+                            "startColumn": 28,
+                            "endLine": 54,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "bean : CreateUserBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                            "index": 3
+                          },
+                          "region": {
+                            "startLine": 263,
+                            "startColumn": 16,
+                            "endLine": 263,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "bean : CreateUserBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                            "index": 3
+                          },
+                          "region": {
+                            "startLine": 174,
+                            "startColumn": 38,
+                            "endLine": 174,
+                            "endColumn": 47
+                          }
+                        },
+                        "message": {
+                          "text": "getBean(...) : CreateUserBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/CreateUserBean.java",
+                            "index": 26
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 19,
+                            "endLine": 66,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : CreateUserBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/CreateUserBean.java",
+                            "index": 26
+                          },
+                          "region": {
+                            "startLine": 67,
+                            "startColumn": 16,
+                            "endLine": 67,
+                            "endColumn": 24
+                          }
+                        },
+                        "message": {
+                          "text": "userName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                            "index": 3
+                          },
+                          "region": {
+                            "startLine": 174,
+                            "startColumn": 38,
+                            "endLine": 174,
+                            "endColumn": 61
+                          }
+                        },
+                        "message": {
+                          "text": "getUserName(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 30,
+                            "endLine": 94,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "userName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 95,
+                            "startColumn": 62,
+                            "endLine": 95,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "userName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 48,
+                            "endLine": 94,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 42,
+                            "endLine": 97,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 90,
+                            "startColumn": 35,
+                            "endLine": 90,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 91,
+                            "startColumn": 26,
+                            "endLine": 91,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 118,
+                            "startColumn": 44,
+                            "endLine": 118,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 26,
+                            "endLine": 119,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 122,
+                            "startColumn": 44,
+                            "endLine": 122,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 40,
+                            "endLine": 127,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 374,
+                            "startColumn": 42,
+                            "endLine": 374,
+                            "endColumn": 53
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 413,
+                            "startColumn": 28,
+                            "endLine": 413,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 413,
+                            "startColumn": 28,
+                            "endLine": 413,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 413,
+                            "startColumn": 17,
+                            "endLine": 413,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "tokens [post update] : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 428,
+                            "startColumn": 16,
+                            "endLine": 428,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 31,
+                            "endLine": 127,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "tokenize(...) : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 130,
+                            "startColumn": 29,
+                            "endLine": 130,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 60,
+                            "endLine": 133,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "token : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 36,
+                            "endLine": 133,
+                            "endColumn": 66
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 162,
+                            "startColumn": 40,
+                            "endLine": 162,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "startMatcher : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 162,
+                            "startColumn": 40,
+                            "endLine": 162,
+                            "endColumn": 61
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 179,
+                            "startColumn": 68,
+                            "endLine": 179,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "tokenBody : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 179,
+                            "startColumn": 42,
+                            "endLine": 179,
+                            "endColumn": 78
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 186,
+                            "startColumn": 38,
+                            "endLine": 186,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "attributes : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 186,
+                            "startColumn": 38,
+                            "endLine": 186,
+                            "endColumn": 57
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 235,
+                            "startColumn": 67,
+                            "endLine": 235,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "val : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 235,
+                            "startColumn": 46,
+                            "endLine": 235,
+                            "endColumn": 71
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 240,
+                            "startColumn": 53,
+                            "endLine": 240,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "styles : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 240,
+                            "startColumn": 53,
+                            "endLine": 240,
+                            "endColumn": 68
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 249,
+                            "startColumn": 83,
+                            "endLine": 249,
+                            "endColumn": 93
+                          }
+                        },
+                        "message": {
+                          "text": "styleValue"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                            "index": 4
+                          },
+                          "region": {
+                            "startLine": 45,
+                            "startColumn": 25,
+                            "endLine": 45,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "bean : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                            "index": 4
+                          },
+                          "region": {
+                            "startLine": 184,
+                            "startColumn": 16,
+                            "endLine": 184,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "bean : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                            "index": 4
+                          },
+                          "region": {
+                            "startLine": 78,
+                            "startColumn": 13,
+                            "endLine": 78,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "getBean(...) : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                            "index": 5
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 17,
+                            "endLine": 134,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                            "index": 5
+                          },
+                          "region": {
+                            "startLine": 136,
+                            "startColumn": 34,
+                            "endLine": 136,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "this.screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 142,
+                            "startColumn": 32,
+                            "endLine": 142,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 143,
+                            "startColumn": 64,
+                            "endLine": 143,
+                            "endColumn": 74
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 48,
+                            "endLine": 94,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 42,
+                            "endLine": 97,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 90,
+                            "startColumn": 35,
+                            "endLine": 90,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 91,
+                            "startColumn": 26,
+                            "endLine": 91,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 118,
+                            "startColumn": 44,
+                            "endLine": 118,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 26,
+                            "endLine": 119,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 122,
+                            "startColumn": 44,
+                            "endLine": 122,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 40,
+                            "endLine": 127,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 374,
+                            "startColumn": 42,
+                            "endLine": 374,
+                            "endColumn": 53
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 17,
+                            "endLine": 396,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "tokens [post update] : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 428,
+                            "startColumn": 16,
+                            "endLine": 428,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 31,
+                            "endLine": 127,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "tokenize(...) : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 130,
+                            "startColumn": 29,
+                            "endLine": 130,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 60,
+                            "endLine": 133,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "token : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 36,
+                            "endLine": 133,
+                            "endColumn": 66
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 162,
+                            "startColumn": 40,
+                            "endLine": 162,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "startMatcher : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 162,
+                            "startColumn": 40,
+                            "endLine": 162,
+                            "endColumn": 61
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 179,
+                            "startColumn": 68,
+                            "endLine": 179,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "tokenBody : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 179,
+                            "startColumn": 42,
+                            "endLine": 179,
+                            "endColumn": 78
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 186,
+                            "startColumn": 38,
+                            "endLine": 186,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "attributes : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 186,
+                            "startColumn": 38,
+                            "endLine": 186,
+                            "endColumn": 57
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 235,
+                            "startColumn": 67,
+                            "endLine": 235,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "val : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 235,
+                            "startColumn": 46,
+                            "endLine": 235,
+                            "endColumn": 71
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 240,
+                            "startColumn": 53,
+                            "endLine": 240,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "styles : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 240,
+                            "startColumn": 53,
+                            "endLine": 240,
+                            "endColumn": 68
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 249,
+                            "startColumn": 83,
+                            "endLine": 249,
+                            "endColumn": 93
+                          }
+                        },
+                        "message": {
+                          "text": "styleValue"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                            "index": 4
+                          },
+                          "region": {
+                            "startLine": 45,
+                            "startColumn": 25,
+                            "endLine": 45,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "bean : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                            "index": 4
+                          },
+                          "region": {
+                            "startLine": 184,
+                            "startColumn": 16,
+                            "endLine": 184,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "bean : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                            "index": 4
+                          },
+                          "region": {
+                            "startLine": 82,
+                            "startColumn": 40,
+                            "endLine": 82,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "getBean(...) : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                            "index": 5
+                          },
+                          "region": {
+                            "startLine": 109,
+                            "startColumn": 19,
+                            "endLine": 109,
+                            "endColumn": 31
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                            "index": 5
+                          },
+                          "region": {
+                            "startLine": 110,
+                            "startColumn": 16,
+                            "endLine": 110,
+                            "endColumn": 25
+                          }
+                        },
+                        "message": {
+                          "text": "openIdUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                            "index": 4
+                          },
+                          "region": {
+                            "startLine": 82,
+                            "startColumn": 40,
+                            "endLine": 82,
+                            "endColumn": 64
+                          }
+                        },
+                        "message": {
+                          "text": "getOpenIdUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                            "index": 4
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 47,
+                            "endLine": 86,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "openidurl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 131,
+                            "startColumn": 30,
+                            "endLine": 131,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "openIdUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 132,
+                            "startColumn": 63,
+                            "endLine": 132,
+                            "endColumn": 72
+                          }
+                        },
+                        "message": {
+                          "text": "openIdUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 48,
+                            "endLine": 94,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 42,
+                            "endLine": 97,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 90,
+                            "startColumn": 35,
+                            "endLine": 90,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 91,
+                            "startColumn": 26,
+                            "endLine": 91,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 118,
+                            "startColumn": 44,
+                            "endLine": 118,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 26,
+                            "endLine": 119,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 122,
+                            "startColumn": 44,
+                            "endLine": 122,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 40,
+                            "endLine": 127,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 374,
+                            "startColumn": 42,
+                            "endLine": 374,
+                            "endColumn": 53
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 413,
+                            "startColumn": 28,
+                            "endLine": 413,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 413,
+                            "startColumn": 28,
+                            "endLine": 413,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 413,
+                            "startColumn": 17,
+                            "endLine": 413,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "tokens [post update] : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 428,
+                            "startColumn": 16,
+                            "endLine": 428,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 31,
+                            "endLine": 127,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "tokenize(...) : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 130,
+                            "startColumn": 29,
+                            "endLine": 130,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 60,
+                            "endLine": 133,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "token : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 36,
+                            "endLine": 133,
+                            "endColumn": 66
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 162,
+                            "startColumn": 40,
+                            "endLine": 162,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "startMatcher : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 162,
+                            "startColumn": 40,
+                            "endLine": 162,
+                            "endColumn": 61
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 179,
+                            "startColumn": 68,
+                            "endLine": 179,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "tokenBody : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 179,
+                            "startColumn": 42,
+                            "endLine": 179,
+                            "endColumn": 78
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 186,
+                            "startColumn": 38,
+                            "endLine": 186,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "attributes : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 186,
+                            "startColumn": 38,
+                            "endLine": 186,
+                            "endColumn": 57
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 235,
+                            "startColumn": 67,
+                            "endLine": 235,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "val : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 235,
+                            "startColumn": 46,
+                            "endLine": 235,
+                            "endColumn": 71
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 240,
+                            "startColumn": 53,
+                            "endLine": 240,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "styles : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 240,
+                            "startColumn": 53,
+                            "endLine": 240,
+                            "endColumn": 68
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 249,
+                            "startColumn": 83,
+                            "endLine": 249,
+                            "endColumn": 93
+                          }
+                        },
+                        "message": {
+                          "text": "styleValue"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 70,
+                  "startColumn": 73,
+                  "endLine": 70,
+                  "endColumn": 75
+                }
+              },
+              "message": {
+                "text": "regular expression"
+              }
+            },
+            {
+              "id": 2,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 54,
+                  "startColumn": 28,
+                  "endLine": 54,
+                  "endColumn": 32
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 3,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 70,
+                  "startColumn": 98,
+                  "endLine": 70,
+                  "endColumn": 103
+                }
+              },
+              "message": {
+                "text": "regular expression"
+              }
+            },
+            {
+              "id": 4,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 45,
+                  "startColumn": 25,
+                  "endLine": 45,
+                  "endColumn": 29
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 5,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 68,
+                  "startColumn": 25,
+                  "endLine": 68,
+                  "endColumn": 29
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 6,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 42,
+                  "startColumn": 26,
+                  "endLine": 42,
+                  "endColumn": 30
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 7,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 75,
+                  "startColumn": 25,
+                  "endLine": 75,
+                  "endColumn": 30
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 8,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/FolderEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 46,
+                  "startColumn": 24,
+                  "endLine": 46,
+                  "endColumn": 28
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/34",
+            "github/alertNumber": 34
+          }
+        },
+        {
+          "ruleId": "java/polynomial-redos",
+          "rule": {
+            "id": "java/polynomial-redos",
+            "index": 38,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "message": {
+            "text": "This [regular expression](1) that depends on a [user-provided value](2) may run slow on strings starting with '<' and with many repetitions of '<'.\nThis [regular expression](1) that depends on a [user-provided value](3) may run slow on strings starting with '<' and with many repetitions of '<'.\nThis [regular expression](1) that depends on a [user-provided value](4) may run slow on strings starting with '<' and with many repetitions of '<'.\nThis [regular expression](1) that depends on a [user-provided value](5) may run slow on strings starting with '<' and with many repetitions of '<'.\nThis [regular expression](1) that depends on a [user-provided value](6) may run slow on strings starting with '<' and with many repetitions of '<'.\nThis [regular expression](1) that depends on a [user-provided value](7) may run slow on strings starting with '<' and with many repetitions of '<'."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                  "index": 25
+                },
+                "region": {
+                  "startLine": 290,
+                  "startColumn": 103,
+                  "endLine": 290,
+                  "endColumn": 106
+                }
+              }
+            }
+          ],
+          "correlationGuid": "98c49d16-a691-4397-87d1-0bebd5d9982a",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "ea89bbca86ba4590:1"
+          },
+          "codeFlows": [
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                            "index": 3
+                          },
+                          "region": {
+                            "startLine": 54,
+                            "startColumn": 28,
+                            "endLine": 54,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "bean : CreateUserBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                            "index": 3
+                          },
+                          "region": {
+                            "startLine": 263,
+                            "startColumn": 16,
+                            "endLine": 263,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "bean : CreateUserBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                            "index": 3
+                          },
+                          "region": {
+                            "startLine": 143,
+                            "startColumn": 13,
+                            "endLine": 143,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "getBean(...) : CreateUserBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/CreateUserBean.java",
+                            "index": 26
+                          },
+                          "region": {
+                            "startLine": 154,
+                            "startColumn": 17,
+                            "endLine": 154,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : CreateUserBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/CreateUserBean.java",
+                            "index": 26
+                          },
+                          "region": {
+                            "startLine": 156,
+                            "startColumn": 34,
+                            "endLine": 156,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "this.screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 142,
+                            "startColumn": 32,
+                            "endLine": 142,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 143,
+                            "startColumn": 64,
+                            "endLine": 143,
+                            "endColumn": 74
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 48,
+                            "endLine": 94,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 42,
+                            "endLine": 97,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 90,
+                            "startColumn": 35,
+                            "endLine": 90,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 91,
+                            "startColumn": 26,
+                            "endLine": 91,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 118,
+                            "startColumn": 44,
+                            "endLine": 118,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 26,
+                            "endLine": 119,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 122,
+                            "startColumn": 44,
+                            "endLine": 122,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 40,
+                            "endLine": 127,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 374,
+                            "startColumn": 42,
+                            "endLine": 374,
+                            "endColumn": 53
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 17,
+                            "endLine": 396,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "tokens [post update] : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 428,
+                            "startColumn": 16,
+                            "endLine": 428,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 31,
+                            "endLine": 127,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "tokenize(...) : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 130,
+                            "startColumn": 29,
+                            "endLine": 130,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 60,
+                            "endLine": 133,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "token : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 36,
+                            "endLine": 133,
+                            "endColumn": 66
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 148,
+                            "startColumn": 30,
+                            "endLine": 148,
+                            "endColumn": 42
+                          }
+                        },
+                        "message": {
+                          "text": "startMatcher : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 148,
+                            "startColumn": 30,
+                            "endLine": 148,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 148,
+                            "startColumn": 30,
+                            "endLine": 148,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "toLowerCase(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 290,
+                            "startColumn": 103,
+                            "endLine": 290,
+                            "endColumn": 106
+                          }
+                        },
+                        "message": {
+                          "text": "tag"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                            "index": 4
+                          },
+                          "region": {
+                            "startLine": 45,
+                            "startColumn": 25,
+                            "endLine": 45,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "bean : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                            "index": 4
+                          },
+                          "region": {
+                            "startLine": 184,
+                            "startColumn": 16,
+                            "endLine": 184,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "bean : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                            "index": 4
+                          },
+                          "region": {
+                            "startLine": 78,
+                            "startColumn": 13,
+                            "endLine": 78,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "getBean(...) : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                            "index": 5
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 17,
+                            "endLine": 134,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                            "index": 5
+                          },
+                          "region": {
+                            "startLine": 136,
+                            "startColumn": 34,
+                            "endLine": 136,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "this.screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 142,
+                            "startColumn": 32,
+                            "endLine": 142,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 143,
+                            "startColumn": 64,
+                            "endLine": 143,
+                            "endColumn": 74
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 48,
+                            "endLine": 94,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 42,
+                            "endLine": 97,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 90,
+                            "startColumn": 35,
+                            "endLine": 90,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 91,
+                            "startColumn": 26,
+                            "endLine": 91,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 118,
+                            "startColumn": 44,
+                            "endLine": 118,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 26,
+                            "endLine": 119,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 122,
+                            "startColumn": 44,
+                            "endLine": 122,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 40,
+                            "endLine": 127,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 374,
+                            "startColumn": 42,
+                            "endLine": 374,
+                            "endColumn": 53
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 17,
+                            "endLine": 396,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "tokens [post update] : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 428,
+                            "startColumn": 16,
+                            "endLine": 428,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 31,
+                            "endLine": 127,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "tokenize(...) : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 130,
+                            "startColumn": 29,
+                            "endLine": 130,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 60,
+                            "endLine": 133,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "token : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 36,
+                            "endLine": 133,
+                            "endColumn": 66
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 148,
+                            "startColumn": 30,
+                            "endLine": 148,
+                            "endColumn": 42
+                          }
+                        },
+                        "message": {
+                          "text": "startMatcher : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 148,
+                            "startColumn": 30,
+                            "endLine": 148,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 148,
+                            "startColumn": 30,
+                            "endLine": 148,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "toLowerCase(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 290,
+                            "startColumn": 103,
+                            "endLine": 290,
+                            "endColumn": 106
+                          }
+                        },
+                        "message": {
+                          "text": "tag"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java",
+                            "index": 6
+                          },
+                          "region": {
+                            "startLine": 68,
+                            "startColumn": 25,
+                            "endLine": 68,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "bean : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java",
+                            "index": 6
+                          },
+                          "region": {
+                            "startLine": 446,
+                            "startColumn": 16,
+                            "endLine": 446,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "bean : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java",
+                            "index": 6
+                          },
+                          "region": {
+                            "startLine": 196,
+                            "startColumn": 17,
+                            "endLine": 196,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "getBean(...) : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                            "index": 5
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 17,
+                            "endLine": 134,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                            "index": 5
+                          },
+                          "region": {
+                            "startLine": 136,
+                            "startColumn": 34,
+                            "endLine": 136,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "this.screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 142,
+                            "startColumn": 32,
+                            "endLine": 142,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 143,
+                            "startColumn": 64,
+                            "endLine": 143,
+                            "endColumn": 74
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 48,
+                            "endLine": 94,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 42,
+                            "endLine": 97,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 90,
+                            "startColumn": 35,
+                            "endLine": 90,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 91,
+                            "startColumn": 26,
+                            "endLine": 91,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 118,
+                            "startColumn": 44,
+                            "endLine": 118,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 26,
+                            "endLine": 119,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 122,
+                            "startColumn": 44,
+                            "endLine": 122,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 40,
+                            "endLine": 127,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 374,
+                            "startColumn": 42,
+                            "endLine": 374,
+                            "endColumn": 53
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 17,
+                            "endLine": 396,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "tokens [post update] : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 428,
+                            "startColumn": 16,
+                            "endLine": 428,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 31,
+                            "endLine": 127,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "tokenize(...) : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 130,
+                            "startColumn": 29,
+                            "endLine": 130,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 60,
+                            "endLine": 133,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "token : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 36,
+                            "endLine": 133,
+                            "endColumn": 66
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 148,
+                            "startColumn": 30,
+                            "endLine": 148,
+                            "endColumn": 42
+                          }
+                        },
+                        "message": {
+                          "text": "startMatcher : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 148,
+                            "startColumn": 30,
+                            "endLine": 148,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 148,
+                            "startColumn": 30,
+                            "endLine": 148,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "toLowerCase(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 290,
+                            "startColumn": 103,
+                            "endLine": 290,
+                            "endColumn": 106
+                          }
+                        },
+                        "message": {
+                          "text": "tag"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkEdit.java",
+                            "index": 27
+                          },
+                          "region": {
+                            "startLine": 42,
+                            "startColumn": 26,
+                            "endLine": 42,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "bean : BookmarkBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkEdit.java",
+                            "index": 27
+                          },
+                          "region": {
+                            "startLine": 141,
+                            "startColumn": 16,
+                            "endLine": 141,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "bean : BookmarkBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkEdit.java",
+                            "index": 27
+                          },
+                          "region": {
+                            "startLine": 103,
+                            "startColumn": 17,
+                            "endLine": 103,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "getBean(...) : BookmarkBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkBean.java",
+                            "index": 28
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 17,
+                            "endLine": 86,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : BookmarkBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkBean.java",
+                            "index": 28
+                          },
+                          "region": {
+                            "startLine": 87,
+                            "startColumn": 28,
+                            "endLine": 87,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "this.name : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogBookmark.java",
+                            "index": 29
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 25,
+                            "endLine": 97,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "name : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogBookmark.java",
+                            "index": 29
+                          },
+                          "region": {
+                            "startLine": 98,
+                            "startColumn": 58,
+                            "endLine": 98,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "name : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 48,
+                            "endLine": 94,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 42,
+                            "endLine": 97,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 90,
+                            "startColumn": 35,
+                            "endLine": 90,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 91,
+                            "startColumn": 26,
+                            "endLine": 91,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 118,
+                            "startColumn": 44,
+                            "endLine": 118,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 26,
+                            "endLine": 119,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 122,
+                            "startColumn": 44,
+                            "endLine": 122,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 40,
+                            "endLine": 127,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 374,
+                            "startColumn": 42,
+                            "endLine": 374,
+                            "endColumn": 53
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 17,
+                            "endLine": 396,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "tokens [post update] : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 428,
+                            "startColumn": 16,
+                            "endLine": 428,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 31,
+                            "endLine": 127,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "tokenize(...) : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 130,
+                            "startColumn": 29,
+                            "endLine": 130,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 60,
+                            "endLine": 133,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "token : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 36,
+                            "endLine": 133,
+                            "endColumn": 66
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 148,
+                            "startColumn": 30,
+                            "endLine": 148,
+                            "endColumn": 42
+                          }
+                        },
+                        "message": {
+                          "text": "startMatcher : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 148,
+                            "startColumn": 30,
+                            "endLine": 148,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 148,
+                            "startColumn": 30,
+                            "endLine": 148,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "toLowerCase(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 290,
+                            "startColumn": 103,
+                            "endLine": 290,
+                            "endColumn": 106
+                          }
+                        },
+                        "message": {
+                          "text": "tag"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 64,
+                  "startColumn": 65,
+                  "endLine": 64,
+                  "endColumn": 67
+                }
+              },
+              "message": {
+                "text": "regular expression"
+              }
+            },
+            {
+              "id": 2,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 54,
+                  "startColumn": 28,
+                  "endLine": 54,
+                  "endColumn": 32
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 3,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 45,
+                  "startColumn": 25,
+                  "endLine": 45,
+                  "endColumn": 29
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 4,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 68,
+                  "startColumn": 25,
+                  "endLine": 68,
+                  "endColumn": 29
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 5,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 42,
+                  "startColumn": 26,
+                  "endLine": 42,
+                  "endColumn": 30
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 6,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 75,
+                  "startColumn": 25,
+                  "endLine": 75,
+                  "endColumn": 30
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 7,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/FolderEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 46,
+                  "startColumn": 24,
+                  "endLine": 46,
+                  "endColumn": 28
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/35",
+            "github/alertNumber": 35
+          }
+        },
+        {
+          "ruleId": "java/polynomial-redos",
+          "rule": {
+            "id": "java/polynomial-redos",
+            "index": 38,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "message": {
+            "text": "This [regular expression](1) that depends on a [user-provided value](2) may run slow on strings starting with '<' and with many repetitions of '<'.\nThis [regular expression](1) that depends on a [user-provided value](3) may run slow on strings starting with '<' and with many repetitions of '<'.\nThis [regular expression](1) that depends on a [user-provided value](4) may run slow on strings starting with '<' and with many repetitions of '<'.\nThis [regular expression](1) that depends on a [user-provided value](5) may run slow on strings starting with '<' and with many repetitions of '<'.\nThis [regular expression](1) that depends on a [user-provided value](6) may run slow on strings starting with '<' and with many repetitions of '<'.\nThis [regular expression](1) that depends on a [user-provided value](7) may run slow on strings starting with '<' and with many repetitions of '<'."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                  "index": 25
+                },
+                "region": {
+                  "startLine": 308,
+                  "startColumn": 40,
+                  "endLine": 308,
+                  "endColumn": 43
+                }
+              }
+            }
+          ],
+          "correlationGuid": "5b53c901-1227-4899-94b0-02de15b8ef1b",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "7fd366a6b63e95c3:1"
+          },
+          "codeFlows": [
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                            "index": 3
+                          },
+                          "region": {
+                            "startLine": 54,
+                            "startColumn": 28,
+                            "endLine": 54,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "bean : CreateUserBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                            "index": 3
+                          },
+                          "region": {
+                            "startLine": 263,
+                            "startColumn": 16,
+                            "endLine": 263,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "bean : CreateUserBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                            "index": 3
+                          },
+                          "region": {
+                            "startLine": 143,
+                            "startColumn": 13,
+                            "endLine": 143,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "getBean(...) : CreateUserBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/CreateUserBean.java",
+                            "index": 26
+                          },
+                          "region": {
+                            "startLine": 154,
+                            "startColumn": 17,
+                            "endLine": 154,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : CreateUserBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/CreateUserBean.java",
+                            "index": 26
+                          },
+                          "region": {
+                            "startLine": 156,
+                            "startColumn": 34,
+                            "endLine": 156,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "this.screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 142,
+                            "startColumn": 32,
+                            "endLine": 142,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 143,
+                            "startColumn": 64,
+                            "endLine": 143,
+                            "endColumn": 74
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 48,
+                            "endLine": 94,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 42,
+                            "endLine": 97,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 90,
+                            "startColumn": 35,
+                            "endLine": 90,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 91,
+                            "startColumn": 26,
+                            "endLine": 91,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 118,
+                            "startColumn": 44,
+                            "endLine": 118,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 26,
+                            "endLine": 119,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 122,
+                            "startColumn": 44,
+                            "endLine": 122,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 40,
+                            "endLine": 127,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 374,
+                            "startColumn": 42,
+                            "endLine": 374,
+                            "endColumn": 53
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 17,
+                            "endLine": 396,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "tokens [post update] : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 428,
+                            "startColumn": 16,
+                            "endLine": 428,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 31,
+                            "endLine": 127,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "tokenize(...) : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 130,
+                            "startColumn": 29,
+                            "endLine": 130,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 60,
+                            "endLine": 133,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "token : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 58,
+                            "endLine": 134,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "token : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 34,
+                            "endLine": 134,
+                            "endColumn": 64
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 305,
+                            "startColumn": 30,
+                            "endLine": 305,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "endMatcher : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 305,
+                            "startColumn": 30,
+                            "endLine": 305,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 305,
+                            "startColumn": 30,
+                            "endLine": 305,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "toLowerCase(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 308,
+                            "startColumn": 40,
+                            "endLine": 308,
+                            "endColumn": 43
+                          }
+                        },
+                        "message": {
+                          "text": "tag"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                            "index": 4
+                          },
+                          "region": {
+                            "startLine": 45,
+                            "startColumn": 25,
+                            "endLine": 45,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "bean : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                            "index": 4
+                          },
+                          "region": {
+                            "startLine": 184,
+                            "startColumn": 16,
+                            "endLine": 184,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "bean : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                            "index": 4
+                          },
+                          "region": {
+                            "startLine": 78,
+                            "startColumn": 13,
+                            "endLine": 78,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "getBean(...) : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                            "index": 5
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 17,
+                            "endLine": 134,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                            "index": 5
+                          },
+                          "region": {
+                            "startLine": 136,
+                            "startColumn": 34,
+                            "endLine": 136,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "this.screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 142,
+                            "startColumn": 32,
+                            "endLine": 142,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 143,
+                            "startColumn": 64,
+                            "endLine": 143,
+                            "endColumn": 74
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 48,
+                            "endLine": 94,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 42,
+                            "endLine": 97,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 90,
+                            "startColumn": 35,
+                            "endLine": 90,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 91,
+                            "startColumn": 26,
+                            "endLine": 91,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 118,
+                            "startColumn": 44,
+                            "endLine": 118,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 26,
+                            "endLine": 119,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 122,
+                            "startColumn": 44,
+                            "endLine": 122,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 40,
+                            "endLine": 127,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 374,
+                            "startColumn": 42,
+                            "endLine": 374,
+                            "endColumn": 53
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 17,
+                            "endLine": 396,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "tokens [post update] : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 428,
+                            "startColumn": 16,
+                            "endLine": 428,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 31,
+                            "endLine": 127,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "tokenize(...) : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 130,
+                            "startColumn": 29,
+                            "endLine": 130,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 60,
+                            "endLine": 133,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "token : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 58,
+                            "endLine": 134,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "token : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 34,
+                            "endLine": 134,
+                            "endColumn": 64
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 305,
+                            "startColumn": 30,
+                            "endLine": 305,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "endMatcher : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 305,
+                            "startColumn": 30,
+                            "endLine": 305,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 305,
+                            "startColumn": 30,
+                            "endLine": 305,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "toLowerCase(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 308,
+                            "startColumn": 40,
+                            "endLine": 308,
+                            "endColumn": 43
+                          }
+                        },
+                        "message": {
+                          "text": "tag"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java",
+                            "index": 6
+                          },
+                          "region": {
+                            "startLine": 68,
+                            "startColumn": 25,
+                            "endLine": 68,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "bean : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java",
+                            "index": 6
+                          },
+                          "region": {
+                            "startLine": 446,
+                            "startColumn": 16,
+                            "endLine": 446,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "bean : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java",
+                            "index": 6
+                          },
+                          "region": {
+                            "startLine": 196,
+                            "startColumn": 17,
+                            "endLine": 196,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "getBean(...) : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                            "index": 5
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 17,
+                            "endLine": 134,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                            "index": 5
+                          },
+                          "region": {
+                            "startLine": 136,
+                            "startColumn": 34,
+                            "endLine": 136,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "this.screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 142,
+                            "startColumn": 32,
+                            "endLine": 142,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 143,
+                            "startColumn": 64,
+                            "endLine": 143,
+                            "endColumn": 74
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 48,
+                            "endLine": 94,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 42,
+                            "endLine": 97,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 90,
+                            "startColumn": 35,
+                            "endLine": 90,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 91,
+                            "startColumn": 26,
+                            "endLine": 91,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 118,
+                            "startColumn": 44,
+                            "endLine": 118,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 26,
+                            "endLine": 119,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 122,
+                            "startColumn": 44,
+                            "endLine": 122,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 40,
+                            "endLine": 127,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 374,
+                            "startColumn": 42,
+                            "endLine": 374,
+                            "endColumn": 53
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 17,
+                            "endLine": 396,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "tokens [post update] : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 428,
+                            "startColumn": 16,
+                            "endLine": 428,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 31,
+                            "endLine": 127,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "tokenize(...) : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 130,
+                            "startColumn": 29,
+                            "endLine": 130,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 60,
+                            "endLine": 133,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "token : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 58,
+                            "endLine": 134,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "token : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 34,
+                            "endLine": 134,
+                            "endColumn": 64
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 305,
+                            "startColumn": 30,
+                            "endLine": 305,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "endMatcher : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 305,
+                            "startColumn": 30,
+                            "endLine": 305,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 305,
+                            "startColumn": 30,
+                            "endLine": 305,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "toLowerCase(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 308,
+                            "startColumn": 40,
+                            "endLine": 308,
+                            "endColumn": 43
+                          }
+                        },
+                        "message": {
+                          "text": "tag"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkEdit.java",
+                            "index": 27
+                          },
+                          "region": {
+                            "startLine": 42,
+                            "startColumn": 26,
+                            "endLine": 42,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "bean : BookmarkBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkEdit.java",
+                            "index": 27
+                          },
+                          "region": {
+                            "startLine": 141,
+                            "startColumn": 16,
+                            "endLine": 141,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "bean : BookmarkBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkEdit.java",
+                            "index": 27
+                          },
+                          "region": {
+                            "startLine": 103,
+                            "startColumn": 17,
+                            "endLine": 103,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "getBean(...) : BookmarkBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkBean.java",
+                            "index": 28
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 17,
+                            "endLine": 86,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : BookmarkBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkBean.java",
+                            "index": 28
+                          },
+                          "region": {
+                            "startLine": 87,
+                            "startColumn": 28,
+                            "endLine": 87,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "this.name : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogBookmark.java",
+                            "index": 29
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 25,
+                            "endLine": 97,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "name : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogBookmark.java",
+                            "index": 29
+                          },
+                          "region": {
+                            "startLine": 98,
+                            "startColumn": 58,
+                            "endLine": 98,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "name : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 48,
+                            "endLine": 94,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 42,
+                            "endLine": 97,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 90,
+                            "startColumn": 35,
+                            "endLine": 90,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 91,
+                            "startColumn": 26,
+                            "endLine": 91,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 118,
+                            "startColumn": 44,
+                            "endLine": 118,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 26,
+                            "endLine": 119,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 122,
+                            "startColumn": 44,
+                            "endLine": 122,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 40,
+                            "endLine": 127,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 374,
+                            "startColumn": 42,
+                            "endLine": 374,
+                            "endColumn": 53
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 17,
+                            "endLine": 396,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "tokens [post update] : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 428,
+                            "startColumn": 16,
+                            "endLine": 428,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 31,
+                            "endLine": 127,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "tokenize(...) : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 130,
+                            "startColumn": 29,
+                            "endLine": 130,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 60,
+                            "endLine": 133,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "token : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 58,
+                            "endLine": 134,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "token : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 34,
+                            "endLine": 134,
+                            "endColumn": 64
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 305,
+                            "startColumn": 30,
+                            "endLine": 305,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "endMatcher : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 305,
+                            "startColumn": 30,
+                            "endLine": 305,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 305,
+                            "startColumn": 30,
+                            "endLine": 305,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "toLowerCase(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 308,
+                            "startColumn": 40,
+                            "endLine": 308,
+                            "endColumn": 43
+                          }
+                        },
+                        "message": {
+                          "text": "tag"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 64,
+                  "startColumn": 65,
+                  "endLine": 64,
+                  "endColumn": 67
+                }
+              },
+              "message": {
+                "text": "regular expression"
+              }
+            },
+            {
+              "id": 2,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 54,
+                  "startColumn": 28,
+                  "endLine": 54,
+                  "endColumn": 32
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 3,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 45,
+                  "startColumn": 25,
+                  "endLine": 45,
+                  "endColumn": 29
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 4,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 68,
+                  "startColumn": 25,
+                  "endLine": 68,
+                  "endColumn": 29
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 5,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 42,
+                  "startColumn": 26,
+                  "endLine": 42,
+                  "endColumn": 30
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 6,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 75,
+                  "startColumn": 25,
+                  "endLine": 75,
+                  "endColumn": 30
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 7,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/FolderEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 46,
+                  "startColumn": 24,
+                  "endLine": 46,
+                  "endColumn": 28
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/36",
+            "github/alertNumber": 36
+          }
+        },
+        {
+          "ruleId": "java/regex-injection",
+          "rule": {
+            "id": "java/regex-injection",
+            "index": 41,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "level": "error",
+          "message": {
+            "text": "This regular expression is constructed from a [user-provided value](1).\nThis regular expression is constructed from a [user-provided value](2)."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                  "index": 20
+                },
+                "region": {
+                  "startLine": 49,
+                  "startColumn": 36,
+                  "endLine": 49,
+                  "endColumn": 51
+                }
+              }
+            }
+          ],
+          "correlationGuid": "1923e2ac-ef5c-43bf-b786-86bf2b341004",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "77bb988d556b367:1"
+          },
+          "codeFlows": [
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 25,
+                            "endLine": 75,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 323,
+                            "startColumn": 16,
+                            "endLine": 323,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 53,
+                            "endLine": 387,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "getEntry(...) : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 22,
+                            "endLine": 58,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 21,
+                            "endLine": 89,
+                            "endColumn": 27
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 13,
+                            "endLine": 89,
+                            "endColumn": 18
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> [post update] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 12,
+                            "endLine": 58,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this [Return] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 39,
+                            "endLine": 388,
+                            "endColumn": 43
+                          }
+                        },
+                        "message": {
+                          "text": "new Trackback(...) : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 389,
+                            "startColumn": 27,
+                            "endLine": 389,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "trackback : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 100,
+                            "startColumn": 27,
+                            "endLine": 100,
+                            "endColumn": 31
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1018,
+                            "startColumn": 19,
+                            "endLine": 1018,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1019,
+                            "startColumn": 16,
+                            "endLine": 1019,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 980,
+                            "startColumn": 19,
+                            "endLine": 980,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 988,
+                            "startColumn": 34,
+                            "endLine": 988,
+                            "endColumn": 38
+                          }
+                        },
+                        "message": {
+                          "text": "this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 897,
+                            "startColumn": 19,
+                            "endLine": 897,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 898,
+                            "startColumn": 23,
+                            "endLine": 898,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 302,
+                            "startColumn": 19,
+                            "endLine": 302,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 303,
+                            "startColumn": 16,
+                            "endLine": 303,
+                            "endColumn": 25
+                          }
+                        },
+                        "message": {
+                          "text": "this.text : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 898,
+                            "startColumn": 23,
+                            "endLine": 898,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "getText(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 943,
+                            "startColumn": 27,
+                            "endLine": 943,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 960,
+                            "startColumn": 59,
+                            "endLine": 960,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 65,
+                            "startColumn": 45,
+                            "endLine": 65,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 38,
+                            "endLine": 66,
+                            "endColumn": 41
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 41,
+                            "startColumn": 38,
+                            "endLine": 41,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 44,
+                            "startColumn": 54,
+                            "endLine": 44,
+                            "endColumn": 57
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 44,
+                            "startColumn": 31,
+                            "endLine": 44,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 46,
+                            "startColumn": 28,
+                            "endLine": 46,
+                            "endColumn": 39
+                          }
+                        },
+                        "message": {
+                          "text": "mailtoMatch : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 46,
+                            "startColumn": 28,
+                            "endLine": 46,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 49,
+                            "startColumn": 36,
+                            "endLine": 49,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "... + ..."
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 25,
+                            "endLine": 75,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 323,
+                            "startColumn": 16,
+                            "endLine": 323,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 53,
+                            "endLine": 387,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "getEntry(...) : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 22,
+                            "endLine": 58,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 21,
+                            "endLine": 89,
+                            "endColumn": 27
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 13,
+                            "endLine": 89,
+                            "endColumn": 18
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> [post update] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 12,
+                            "endLine": 58,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this [Return] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 39,
+                            "endLine": 388,
+                            "endColumn": 43
+                          }
+                        },
+                        "message": {
+                          "text": "new Trackback(...) : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 389,
+                            "startColumn": 27,
+                            "endLine": 389,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "trackback : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 100,
+                            "startColumn": 27,
+                            "endLine": 100,
+                            "endColumn": 31
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 107,
+                            "startColumn": 24,
+                            "endLine": 107,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 107,
+                            "startColumn": 24,
+                            "endLine": 107,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1018,
+                            "startColumn": 19,
+                            "endLine": 1018,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1019,
+                            "startColumn": 16,
+                            "endLine": 1019,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 980,
+                            "startColumn": 19,
+                            "endLine": 980,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 990,
+                            "startColumn": 34,
+                            "endLine": 990,
+                            "endColumn": 38
+                          }
+                        },
+                        "message": {
+                          "text": "this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 904,
+                            "startColumn": 19,
+                            "endLine": 904,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 905,
+                            "startColumn": 23,
+                            "endLine": 905,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 274,
+                            "startColumn": 19,
+                            "endLine": 274,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 275,
+                            "startColumn": 16,
+                            "endLine": 275,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "summary : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 905,
+                            "startColumn": 23,
+                            "endLine": 905,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "getSummary(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 943,
+                            "startColumn": 27,
+                            "endLine": 943,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 960,
+                            "startColumn": 59,
+                            "endLine": 960,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 65,
+                            "startColumn": 45,
+                            "endLine": 65,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 38,
+                            "endLine": 66,
+                            "endColumn": 41
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 41,
+                            "startColumn": 38,
+                            "endLine": 41,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 44,
+                            "startColumn": 54,
+                            "endLine": 44,
+                            "endColumn": 57
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 44,
+                            "startColumn": 31,
+                            "endLine": 44,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 46,
+                            "startColumn": 28,
+                            "endLine": 46,
+                            "endColumn": 39
+                          }
+                        },
+                        "message": {
+                          "text": "mailtoMatch : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 46,
+                            "startColumn": 28,
+                            "endLine": 46,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 49,
+                            "startColumn": 36,
+                            "endLine": 49,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "... + ..."
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "getRequestURL(...) : StringBuffer"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 99,
+                            "startColumn": 118,
+                            "endLine": 99,
+                            "endColumn": 135
+                          }
+                        },
+                        "message": {
+                          "text": "requestURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 116,
+                            "startColumn": 40,
+                            "endLine": 116,
+                            "endColumn": 47
+                          }
+                        },
+                        "message": {
+                          "text": "fullUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 137,
+                            "startColumn": 49,
+                            "endLine": 137,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 141,
+                            "startColumn": 16,
+                            "endLine": 141,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 116,
+                            "startColumn": 20,
+                            "endLine": 116,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "removeTrailingSlash(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 16,
+                            "endLine": 88,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 34,
+                            "endLine": 66,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 69,
+                            "startColumn": 62,
+                            "endLine": 69,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "absPath : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 175,
+                            "startColumn": 46,
+                            "endLine": 175,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 176,
+                            "startColumn": 30,
+                            "endLine": 176,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 51,
+                            "startColumn": 27,
+                            "endLine": 51,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 195,
+                            "startColumn": 16,
+                            "endLine": 195,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 85,
+                            "startColumn": 30,
+                            "endLine": 85,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteContextURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 96,
+                            "startColumn": 32,
+                            "endLine": 101,
+                            "endColumn": 57
+                          }
+                        },
+                        "message": {
+                          "text": "... + ... : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 96,
+                            "startColumn": 17,
+                            "endLine": 96,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tempS [post update] : String[] [[]] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 106,
+                            "startColumn": 39,
+                            "endLine": 106,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "tempS : String[] [[]] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 42,
+                            "startColumn": 21,
+                            "endLine": 42,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "imageTags : String[] [[]] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 39,
+                            "endLine": 119,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "imageTags : String[] [[]] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 39,
+                            "endLine": 119,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "...[...] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 20,
+                            "endLine": 119,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "replaceAll(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 121,
+                            "startColumn": 16,
+                            "endLine": 121,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "text : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/PluginManagerImpl.java",
+                            "index": 31
+                          },
+                          "region": {
+                            "startLine": 102,
+                            "startColumn": 23,
+                            "endLine": 102,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "render(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/PluginManagerImpl.java",
+                            "index": 31
+                          },
+                          "region": {
+                            "startLine": 102,
+                            "startColumn": 48,
+                            "endLine": 102,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 65,
+                            "startColumn": 45,
+                            "endLine": 65,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 38,
+                            "endLine": 66,
+                            "endColumn": 41
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 41,
+                            "startColumn": 38,
+                            "endLine": 41,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 44,
+                            "startColumn": 54,
+                            "endLine": 44,
+                            "endColumn": 57
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 44,
+                            "startColumn": 31,
+                            "endLine": 44,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 46,
+                            "startColumn": 28,
+                            "endLine": 46,
+                            "endColumn": 39
+                          }
+                        },
+                        "message": {
+                          "text": "mailtoMatch : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 46,
+                            "startColumn": 28,
+                            "endLine": 46,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 49,
+                            "startColumn": 36,
+                            "endLine": 49,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "... + ..."
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "getRequestURL(...) : StringBuffer"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 99,
+                            "startColumn": 118,
+                            "endLine": 99,
+                            "endColumn": 135
+                          }
+                        },
+                        "message": {
+                          "text": "requestURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 125,
+                            "startColumn": 19,
+                            "endLine": 125,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "fullUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 125,
+                            "startColumn": 19,
+                            "endLine": 125,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 36,
+                            "endLine": 134,
+                            "endColumn": 39
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 137,
+                            "startColumn": 49,
+                            "endLine": 137,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 139,
+                            "startColumn": 20,
+                            "endLine": 139,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 139,
+                            "startColumn": 20,
+                            "endLine": 139,
+                            "endColumn": 54
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 16,
+                            "endLine": 134,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "removeTrailingSlash(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 16,
+                            "endLine": 88,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 34,
+                            "endLine": 66,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 69,
+                            "startColumn": 62,
+                            "endLine": 69,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "absPath : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 175,
+                            "startColumn": 46,
+                            "endLine": 175,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 176,
+                            "startColumn": 30,
+                            "endLine": 176,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 51,
+                            "startColumn": 27,
+                            "endLine": 51,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 195,
+                            "startColumn": 16,
+                            "endLine": 195,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 85,
+                            "startColumn": 30,
+                            "endLine": 85,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteContextURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 96,
+                            "startColumn": 32,
+                            "endLine": 101,
+                            "endColumn": 57
+                          }
+                        },
+                        "message": {
+                          "text": "... + ... : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 96,
+                            "startColumn": 17,
+                            "endLine": 96,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tempS [post update] : String[] [[]] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 106,
+                            "startColumn": 39,
+                            "endLine": 106,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "tempS : String[] [[]] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 42,
+                            "startColumn": 21,
+                            "endLine": 42,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "imageTags : String[] [[]] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 39,
+                            "endLine": 119,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "imageTags : String[] [[]] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 39,
+                            "endLine": 119,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "...[...] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 20,
+                            "endLine": 119,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "replaceAll(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 121,
+                            "startColumn": 16,
+                            "endLine": 121,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "text : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 960,
+                            "startColumn": 35,
+                            "endLine": 960,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "render(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 960,
+                            "startColumn": 59,
+                            "endLine": 960,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 65,
+                            "startColumn": 45,
+                            "endLine": 65,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 38,
+                            "endLine": 66,
+                            "endColumn": 41
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 41,
+                            "startColumn": 38,
+                            "endLine": 41,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 44,
+                            "startColumn": 54,
+                            "endLine": 44,
+                            "endColumn": 57
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 44,
+                            "startColumn": 31,
+                            "endLine": 44,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 46,
+                            "startColumn": 28,
+                            "endLine": 46,
+                            "endColumn": 39
+                          }
+                        },
+                        "message": {
+                          "text": "mailtoMatch : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 46,
+                            "startColumn": 28,
+                            "endLine": 46,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 49,
+                            "startColumn": 36,
+                            "endLine": 49,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "... + ..."
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 75,
+                  "startColumn": 25,
+                  "endLine": 75,
+                  "endColumn": 30
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 2,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 88,
+                  "startColumn": 42,
+                  "endLine": 88,
+                  "endColumn": 65
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/37",
+            "github/alertNumber": 37
+          }
+        },
+        {
+          "ruleId": "java/regex-injection",
+          "rule": {
+            "id": "java/regex-injection",
+            "index": 41,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "level": "error",
+          "message": {
+            "text": "This regular expression is constructed from a [user-provided value](1).\nThis regular expression is constructed from a [user-provided value](2)."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                  "index": 20
+                },
+                "region": {
+                  "startLine": 66,
+                  "startColumn": 36,
+                  "endLine": 66,
+                  "endColumn": 38
+                }
+              }
+            }
+          ],
+          "correlationGuid": "f7e56bbc-467c-4e07-a916-b3b3c362a229",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "e97d22a8b2a0b291:1"
+          },
+          "codeFlows": [
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 25,
+                            "endLine": 75,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 323,
+                            "startColumn": 16,
+                            "endLine": 323,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 53,
+                            "endLine": 387,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "getEntry(...) : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 22,
+                            "endLine": 58,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 21,
+                            "endLine": 89,
+                            "endColumn": 27
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 13,
+                            "endLine": 89,
+                            "endColumn": 18
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> [post update] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 12,
+                            "endLine": 58,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this [Return] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 39,
+                            "endLine": 388,
+                            "endColumn": 43
+                          }
+                        },
+                        "message": {
+                          "text": "new Trackback(...) : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 389,
+                            "startColumn": 27,
+                            "endLine": 389,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "trackback : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 100,
+                            "startColumn": 27,
+                            "endLine": 100,
+                            "endColumn": 31
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1018,
+                            "startColumn": 19,
+                            "endLine": 1018,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1019,
+                            "startColumn": 16,
+                            "endLine": 1019,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 980,
+                            "startColumn": 19,
+                            "endLine": 980,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 988,
+                            "startColumn": 34,
+                            "endLine": 988,
+                            "endColumn": 38
+                          }
+                        },
+                        "message": {
+                          "text": "this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 897,
+                            "startColumn": 19,
+                            "endLine": 897,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 898,
+                            "startColumn": 23,
+                            "endLine": 898,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 302,
+                            "startColumn": 19,
+                            "endLine": 302,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 303,
+                            "startColumn": 16,
+                            "endLine": 303,
+                            "endColumn": 25
+                          }
+                        },
+                        "message": {
+                          "text": "this.text : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 898,
+                            "startColumn": 23,
+                            "endLine": 898,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "getText(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 943,
+                            "startColumn": 27,
+                            "endLine": 943,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 960,
+                            "startColumn": 59,
+                            "endLine": 960,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 65,
+                            "startColumn": 45,
+                            "endLine": 65,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 38,
+                            "endLine": 66,
+                            "endColumn": 41
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 41,
+                            "startColumn": 38,
+                            "endLine": 41,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 52,
+                            "startColumn": 31,
+                            "endLine": 52,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 61,
+                            "startColumn": 41,
+                            "endLine": 61,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 62,
+                            "startColumn": 52,
+                            "endLine": 62,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 62,
+                            "startColumn": 30,
+                            "endLine": 62,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 64,
+                            "startColumn": 25,
+                            "endLine": 64,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "emailMatch : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 64,
+                            "startColumn": 25,
+                            "endLine": 64,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 36,
+                            "endLine": 66,
+                            "endColumn": 38
+                          }
+                        },
+                        "message": {
+                          "text": "at"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 25,
+                            "endLine": 75,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 323,
+                            "startColumn": 16,
+                            "endLine": 323,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 53,
+                            "endLine": 387,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "getEntry(...) : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 22,
+                            "endLine": 58,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 21,
+                            "endLine": 89,
+                            "endColumn": 27
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 13,
+                            "endLine": 89,
+                            "endColumn": 18
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> [post update] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 12,
+                            "endLine": 58,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this [Return] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 39,
+                            "endLine": 388,
+                            "endColumn": 43
+                          }
+                        },
+                        "message": {
+                          "text": "new Trackback(...) : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 389,
+                            "startColumn": 27,
+                            "endLine": 389,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "trackback : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 100,
+                            "startColumn": 27,
+                            "endLine": 100,
+                            "endColumn": 31
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 107,
+                            "startColumn": 24,
+                            "endLine": 107,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 107,
+                            "startColumn": 24,
+                            "endLine": 107,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1018,
+                            "startColumn": 19,
+                            "endLine": 1018,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1019,
+                            "startColumn": 16,
+                            "endLine": 1019,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 980,
+                            "startColumn": 19,
+                            "endLine": 980,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 990,
+                            "startColumn": 34,
+                            "endLine": 990,
+                            "endColumn": 38
+                          }
+                        },
+                        "message": {
+                          "text": "this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 904,
+                            "startColumn": 19,
+                            "endLine": 904,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 905,
+                            "startColumn": 23,
+                            "endLine": 905,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 274,
+                            "startColumn": 19,
+                            "endLine": 274,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 275,
+                            "startColumn": 16,
+                            "endLine": 275,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "summary : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 905,
+                            "startColumn": 23,
+                            "endLine": 905,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "getSummary(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 943,
+                            "startColumn": 27,
+                            "endLine": 943,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 960,
+                            "startColumn": 59,
+                            "endLine": 960,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 65,
+                            "startColumn": 45,
+                            "endLine": 65,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 38,
+                            "endLine": 66,
+                            "endColumn": 41
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 41,
+                            "startColumn": 38,
+                            "endLine": 41,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 49,
+                            "startColumn": 19,
+                            "endLine": 49,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 49,
+                            "startColumn": 19,
+                            "endLine": 49,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "replaceFirst(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 52,
+                            "startColumn": 31,
+                            "endLine": 52,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 61,
+                            "startColumn": 41,
+                            "endLine": 61,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 62,
+                            "startColumn": 52,
+                            "endLine": 62,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 62,
+                            "startColumn": 30,
+                            "endLine": 62,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 64,
+                            "startColumn": 25,
+                            "endLine": 64,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "emailMatch : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 64,
+                            "startColumn": 25,
+                            "endLine": 64,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 36,
+                            "endLine": 66,
+                            "endColumn": 38
+                          }
+                        },
+                        "message": {
+                          "text": "at"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "getRequestURL(...) : StringBuffer"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 99,
+                            "startColumn": 118,
+                            "endLine": 99,
+                            "endColumn": 135
+                          }
+                        },
+                        "message": {
+                          "text": "requestURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 116,
+                            "startColumn": 40,
+                            "endLine": 116,
+                            "endColumn": 47
+                          }
+                        },
+                        "message": {
+                          "text": "fullUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 137,
+                            "startColumn": 49,
+                            "endLine": 137,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 141,
+                            "startColumn": 16,
+                            "endLine": 141,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 116,
+                            "startColumn": 20,
+                            "endLine": 116,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "removeTrailingSlash(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 16,
+                            "endLine": 88,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 34,
+                            "endLine": 66,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 69,
+                            "startColumn": 62,
+                            "endLine": 69,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "absPath : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 175,
+                            "startColumn": 46,
+                            "endLine": 175,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 176,
+                            "startColumn": 30,
+                            "endLine": 176,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 51,
+                            "startColumn": 27,
+                            "endLine": 51,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 195,
+                            "startColumn": 16,
+                            "endLine": 195,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 85,
+                            "startColumn": 30,
+                            "endLine": 85,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteContextURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 96,
+                            "startColumn": 32,
+                            "endLine": 101,
+                            "endColumn": 57
+                          }
+                        },
+                        "message": {
+                          "text": "... + ... : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 96,
+                            "startColumn": 17,
+                            "endLine": 96,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tempS [post update] : String[] [[]] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 106,
+                            "startColumn": 39,
+                            "endLine": 106,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "tempS : String[] [[]] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 42,
+                            "startColumn": 21,
+                            "endLine": 42,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "imageTags : String[] [[]] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 39,
+                            "endLine": 119,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "imageTags : String[] [[]] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 39,
+                            "endLine": 119,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "...[...] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 20,
+                            "endLine": 119,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "replaceAll(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 121,
+                            "startColumn": 16,
+                            "endLine": 121,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "text : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/PluginManagerImpl.java",
+                            "index": 31
+                          },
+                          "region": {
+                            "startLine": 102,
+                            "startColumn": 23,
+                            "endLine": 102,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "render(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/PluginManagerImpl.java",
+                            "index": 31
+                          },
+                          "region": {
+                            "startLine": 102,
+                            "startColumn": 48,
+                            "endLine": 102,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 65,
+                            "startColumn": 45,
+                            "endLine": 65,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 38,
+                            "endLine": 66,
+                            "endColumn": 41
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 41,
+                            "startColumn": 38,
+                            "endLine": 41,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 52,
+                            "startColumn": 31,
+                            "endLine": 52,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 61,
+                            "startColumn": 41,
+                            "endLine": 61,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 62,
+                            "startColumn": 52,
+                            "endLine": 62,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 62,
+                            "startColumn": 30,
+                            "endLine": 62,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 64,
+                            "startColumn": 25,
+                            "endLine": 64,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "emailMatch : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 64,
+                            "startColumn": 25,
+                            "endLine": 64,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 36,
+                            "endLine": 66,
+                            "endColumn": 38
+                          }
+                        },
+                        "message": {
+                          "text": "at"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "getRequestURL(...) : StringBuffer"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 99,
+                            "startColumn": 118,
+                            "endLine": 99,
+                            "endColumn": 135
+                          }
+                        },
+                        "message": {
+                          "text": "requestURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 125,
+                            "startColumn": 19,
+                            "endLine": 125,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "fullUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 125,
+                            "startColumn": 19,
+                            "endLine": 125,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 36,
+                            "endLine": 134,
+                            "endColumn": 39
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 137,
+                            "startColumn": 49,
+                            "endLine": 137,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 139,
+                            "startColumn": 20,
+                            "endLine": 139,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 139,
+                            "startColumn": 20,
+                            "endLine": 139,
+                            "endColumn": 54
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 16,
+                            "endLine": 134,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "removeTrailingSlash(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 16,
+                            "endLine": 88,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 34,
+                            "endLine": 66,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 69,
+                            "startColumn": 62,
+                            "endLine": 69,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "absPath : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 175,
+                            "startColumn": 46,
+                            "endLine": 175,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 176,
+                            "startColumn": 30,
+                            "endLine": 176,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 51,
+                            "startColumn": 27,
+                            "endLine": 51,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 195,
+                            "startColumn": 16,
+                            "endLine": 195,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 85,
+                            "startColumn": 30,
+                            "endLine": 85,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteContextURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 96,
+                            "startColumn": 32,
+                            "endLine": 101,
+                            "endColumn": 57
+                          }
+                        },
+                        "message": {
+                          "text": "... + ... : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 96,
+                            "startColumn": 17,
+                            "endLine": 96,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tempS [post update] : String[] [[]] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 106,
+                            "startColumn": 39,
+                            "endLine": 106,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "tempS : String[] [[]] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 42,
+                            "startColumn": 21,
+                            "endLine": 42,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "imageTags : String[] [[]] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 39,
+                            "endLine": 119,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "imageTags : String[] [[]] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 39,
+                            "endLine": 119,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "...[...] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 20,
+                            "endLine": 119,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "replaceAll(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 121,
+                            "startColumn": 16,
+                            "endLine": 121,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "text : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 960,
+                            "startColumn": 35,
+                            "endLine": 960,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "render(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 960,
+                            "startColumn": 59,
+                            "endLine": 960,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 65,
+                            "startColumn": 45,
+                            "endLine": 65,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 38,
+                            "endLine": 66,
+                            "endColumn": 41
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 41,
+                            "startColumn": 38,
+                            "endLine": 41,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 49,
+                            "startColumn": 19,
+                            "endLine": 49,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 49,
+                            "startColumn": 19,
+                            "endLine": 49,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "replaceFirst(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 52,
+                            "startColumn": 31,
+                            "endLine": 52,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 61,
+                            "startColumn": 41,
+                            "endLine": 61,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 62,
+                            "startColumn": 52,
+                            "endLine": 62,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 62,
+                            "startColumn": 30,
+                            "endLine": 62,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 64,
+                            "startColumn": 25,
+                            "endLine": 64,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "emailMatch : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 64,
+                            "startColumn": 25,
+                            "endLine": 64,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 36,
+                            "endLine": 66,
+                            "endColumn": 38
+                          }
+                        },
+                        "message": {
+                          "text": "at"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 75,
+                  "startColumn": 25,
+                  "endLine": 75,
+                  "endColumn": 30
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 2,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 88,
+                  "startColumn": 42,
+                  "endLine": 88,
+                  "endColumn": 65
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/38",
+            "github/alertNumber": 38
+          }
+        },
+        {
+          "ruleId": "java/regex-injection",
+          "rule": {
+            "id": "java/regex-injection",
+            "index": 41,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "level": "error",
+          "message": {
+            "text": "This regular expression is constructed from a [user-provided value](1).\nThis regular expression is constructed from a [user-provided value](2)."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                  "index": 20
+                },
+                "region": {
+                  "startLine": 71,
+                  "startColumn": 36,
+                  "endLine": 71,
+                  "endColumn": 39
+                }
+              }
+            }
+          ],
+          "correlationGuid": "49c124bf-2a10-4623-9976-3376d4c86436",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "9713a8da9d6dd391:1"
+          },
+          "codeFlows": [
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 25,
+                            "endLine": 75,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 323,
+                            "startColumn": 16,
+                            "endLine": 323,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 53,
+                            "endLine": 387,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "getEntry(...) : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 22,
+                            "endLine": 58,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 21,
+                            "endLine": 89,
+                            "endColumn": 27
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 13,
+                            "endLine": 89,
+                            "endColumn": 18
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> [post update] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 12,
+                            "endLine": 58,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this [Return] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 39,
+                            "endLine": 388,
+                            "endColumn": 43
+                          }
+                        },
+                        "message": {
+                          "text": "new Trackback(...) : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 389,
+                            "startColumn": 27,
+                            "endLine": 389,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "trackback : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 100,
+                            "startColumn": 27,
+                            "endLine": 100,
+                            "endColumn": 31
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1018,
+                            "startColumn": 19,
+                            "endLine": 1018,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1019,
+                            "startColumn": 16,
+                            "endLine": 1019,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 980,
+                            "startColumn": 19,
+                            "endLine": 980,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 988,
+                            "startColumn": 34,
+                            "endLine": 988,
+                            "endColumn": 38
+                          }
+                        },
+                        "message": {
+                          "text": "this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 897,
+                            "startColumn": 19,
+                            "endLine": 897,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 898,
+                            "startColumn": 23,
+                            "endLine": 898,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 302,
+                            "startColumn": 19,
+                            "endLine": 302,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 303,
+                            "startColumn": 16,
+                            "endLine": 303,
+                            "endColumn": 25
+                          }
+                        },
+                        "message": {
+                          "text": "this.text : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 898,
+                            "startColumn": 23,
+                            "endLine": 898,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "getText(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 943,
+                            "startColumn": 27,
+                            "endLine": 943,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 960,
+                            "startColumn": 59,
+                            "endLine": 960,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 65,
+                            "startColumn": 45,
+                            "endLine": 65,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 38,
+                            "endLine": 66,
+                            "endColumn": 41
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 41,
+                            "startColumn": 38,
+                            "endLine": 41,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 52,
+                            "startColumn": 31,
+                            "endLine": 52,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 61,
+                            "startColumn": 41,
+                            "endLine": 61,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 62,
+                            "startColumn": 52,
+                            "endLine": 62,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 62,
+                            "startColumn": 30,
+                            "endLine": 62,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 68,
+                            "startColumn": 26,
+                            "endLine": 68,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "emailMatch : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 68,
+                            "startColumn": 26,
+                            "endLine": 68,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 71,
+                            "startColumn": 36,
+                            "endLine": 71,
+                            "endColumn": 39
+                          }
+                        },
+                        "message": {
+                          "text": "dot"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 25,
+                            "endLine": 75,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 323,
+                            "startColumn": 16,
+                            "endLine": 323,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 53,
+                            "endLine": 387,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "getEntry(...) : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 22,
+                            "endLine": 58,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 21,
+                            "endLine": 89,
+                            "endColumn": 27
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 13,
+                            "endLine": 89,
+                            "endColumn": 18
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> [post update] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 12,
+                            "endLine": 58,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this [Return] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 39,
+                            "endLine": 388,
+                            "endColumn": 43
+                          }
+                        },
+                        "message": {
+                          "text": "new Trackback(...) : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 389,
+                            "startColumn": 27,
+                            "endLine": 389,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "trackback : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 100,
+                            "startColumn": 27,
+                            "endLine": 100,
+                            "endColumn": 31
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 107,
+                            "startColumn": 24,
+                            "endLine": 107,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 107,
+                            "startColumn": 24,
+                            "endLine": 107,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1018,
+                            "startColumn": 19,
+                            "endLine": 1018,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1019,
+                            "startColumn": 16,
+                            "endLine": 1019,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 980,
+                            "startColumn": 19,
+                            "endLine": 980,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 990,
+                            "startColumn": 34,
+                            "endLine": 990,
+                            "endColumn": 38
+                          }
+                        },
+                        "message": {
+                          "text": "this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 904,
+                            "startColumn": 19,
+                            "endLine": 904,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 905,
+                            "startColumn": 23,
+                            "endLine": 905,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 274,
+                            "startColumn": 19,
+                            "endLine": 274,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 275,
+                            "startColumn": 16,
+                            "endLine": 275,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "summary : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 905,
+                            "startColumn": 23,
+                            "endLine": 905,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "getSummary(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 943,
+                            "startColumn": 27,
+                            "endLine": 943,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 960,
+                            "startColumn": 59,
+                            "endLine": 960,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 65,
+                            "startColumn": 45,
+                            "endLine": 65,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 38,
+                            "endLine": 66,
+                            "endColumn": 41
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 41,
+                            "startColumn": 38,
+                            "endLine": 41,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 49,
+                            "startColumn": 19,
+                            "endLine": 49,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 49,
+                            "startColumn": 19,
+                            "endLine": 49,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "replaceFirst(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 52,
+                            "startColumn": 31,
+                            "endLine": 52,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 61,
+                            "startColumn": 41,
+                            "endLine": 61,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 62,
+                            "startColumn": 52,
+                            "endLine": 62,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 62,
+                            "startColumn": 30,
+                            "endLine": 62,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 68,
+                            "startColumn": 48,
+                            "endLine": 68,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "emailMatch : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 68,
+                            "startColumn": 48,
+                            "endLine": 68,
+                            "endColumn": 67
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 71,
+                            "startColumn": 36,
+                            "endLine": 71,
+                            "endColumn": 39
+                          }
+                        },
+                        "message": {
+                          "text": "dot"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "getRequestURL(...) : StringBuffer"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 99,
+                            "startColumn": 118,
+                            "endLine": 99,
+                            "endColumn": 135
+                          }
+                        },
+                        "message": {
+                          "text": "requestURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 116,
+                            "startColumn": 40,
+                            "endLine": 116,
+                            "endColumn": 47
+                          }
+                        },
+                        "message": {
+                          "text": "fullUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 137,
+                            "startColumn": 49,
+                            "endLine": 137,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 141,
+                            "startColumn": 16,
+                            "endLine": 141,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 116,
+                            "startColumn": 20,
+                            "endLine": 116,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "removeTrailingSlash(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 16,
+                            "endLine": 88,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 34,
+                            "endLine": 66,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 69,
+                            "startColumn": 62,
+                            "endLine": 69,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "absPath : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 175,
+                            "startColumn": 46,
+                            "endLine": 175,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 176,
+                            "startColumn": 30,
+                            "endLine": 176,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 51,
+                            "startColumn": 27,
+                            "endLine": 51,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 195,
+                            "startColumn": 16,
+                            "endLine": 195,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 85,
+                            "startColumn": 30,
+                            "endLine": 85,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteContextURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 96,
+                            "startColumn": 32,
+                            "endLine": 101,
+                            "endColumn": 57
+                          }
+                        },
+                        "message": {
+                          "text": "... + ... : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 96,
+                            "startColumn": 17,
+                            "endLine": 96,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tempS [post update] : String[] [[]] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 106,
+                            "startColumn": 39,
+                            "endLine": 106,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "tempS : String[] [[]] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 42,
+                            "startColumn": 21,
+                            "endLine": 42,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "imageTags : String[] [[]] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 39,
+                            "endLine": 119,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "imageTags : String[] [[]] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 39,
+                            "endLine": 119,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "...[...] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 20,
+                            "endLine": 119,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "replaceAll(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 121,
+                            "startColumn": 16,
+                            "endLine": 121,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "text : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/PluginManagerImpl.java",
+                            "index": 31
+                          },
+                          "region": {
+                            "startLine": 102,
+                            "startColumn": 23,
+                            "endLine": 102,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "render(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/PluginManagerImpl.java",
+                            "index": 31
+                          },
+                          "region": {
+                            "startLine": 102,
+                            "startColumn": 48,
+                            "endLine": 102,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 65,
+                            "startColumn": 45,
+                            "endLine": 65,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 38,
+                            "endLine": 66,
+                            "endColumn": 41
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 41,
+                            "startColumn": 38,
+                            "endLine": 41,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 52,
+                            "startColumn": 31,
+                            "endLine": 52,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 61,
+                            "startColumn": 41,
+                            "endLine": 61,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 62,
+                            "startColumn": 52,
+                            "endLine": 62,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 62,
+                            "startColumn": 30,
+                            "endLine": 62,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 68,
+                            "startColumn": 26,
+                            "endLine": 68,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "emailMatch : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 68,
+                            "startColumn": 26,
+                            "endLine": 68,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 71,
+                            "startColumn": 36,
+                            "endLine": 71,
+                            "endColumn": 39
+                          }
+                        },
+                        "message": {
+                          "text": "dot"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "getRequestURL(...) : StringBuffer"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 99,
+                            "startColumn": 118,
+                            "endLine": 99,
+                            "endColumn": 135
+                          }
+                        },
+                        "message": {
+                          "text": "requestURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 125,
+                            "startColumn": 19,
+                            "endLine": 125,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "fullUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 125,
+                            "startColumn": 19,
+                            "endLine": 125,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 36,
+                            "endLine": 134,
+                            "endColumn": 39
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 137,
+                            "startColumn": 49,
+                            "endLine": 137,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 139,
+                            "startColumn": 20,
+                            "endLine": 139,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 139,
+                            "startColumn": 20,
+                            "endLine": 139,
+                            "endColumn": 54
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 16,
+                            "endLine": 134,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "removeTrailingSlash(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 16,
+                            "endLine": 88,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 34,
+                            "endLine": 66,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 69,
+                            "startColumn": 62,
+                            "endLine": 69,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "absPath : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 175,
+                            "startColumn": 46,
+                            "endLine": 175,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 176,
+                            "startColumn": 30,
+                            "endLine": 176,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 51,
+                            "startColumn": 27,
+                            "endLine": 51,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 195,
+                            "startColumn": 16,
+                            "endLine": 195,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 85,
+                            "startColumn": 30,
+                            "endLine": 85,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteContextURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 96,
+                            "startColumn": 32,
+                            "endLine": 101,
+                            "endColumn": 57
+                          }
+                        },
+                        "message": {
+                          "text": "... + ... : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 96,
+                            "startColumn": 17,
+                            "endLine": 96,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tempS [post update] : String[] [[]] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 106,
+                            "startColumn": 39,
+                            "endLine": 106,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "tempS : String[] [[]] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 42,
+                            "startColumn": 21,
+                            "endLine": 42,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "imageTags : String[] [[]] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 39,
+                            "endLine": 119,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "imageTags : String[] [[]] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 39,
+                            "endLine": 119,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "...[...] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 20,
+                            "endLine": 119,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "replaceAll(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 121,
+                            "startColumn": 16,
+                            "endLine": 121,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "text : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 960,
+                            "startColumn": 35,
+                            "endLine": 960,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "render(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 960,
+                            "startColumn": 59,
+                            "endLine": 960,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 65,
+                            "startColumn": 45,
+                            "endLine": 65,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 38,
+                            "endLine": 66,
+                            "endColumn": 41
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 41,
+                            "startColumn": 38,
+                            "endLine": 41,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 49,
+                            "startColumn": 19,
+                            "endLine": 49,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 49,
+                            "startColumn": 19,
+                            "endLine": 49,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "replaceFirst(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 52,
+                            "startColumn": 31,
+                            "endLine": 52,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 61,
+                            "startColumn": 41,
+                            "endLine": 61,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 62,
+                            "startColumn": 52,
+                            "endLine": 62,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 62,
+                            "startColumn": 30,
+                            "endLine": 62,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 68,
+                            "startColumn": 48,
+                            "endLine": 68,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "emailMatch : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 68,
+                            "startColumn": 48,
+                            "endLine": 68,
+                            "endColumn": 67
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 71,
+                            "startColumn": 36,
+                            "endLine": 71,
+                            "endColumn": 39
+                          }
+                        },
+                        "message": {
+                          "text": "dot"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 75,
+                  "startColumn": 25,
+                  "endLine": 75,
+                  "endColumn": 30
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 2,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 88,
+                  "startColumn": 42,
+                  "endLine": 88,
+                  "endColumn": 65
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/39",
+            "github/alertNumber": 39
+          }
+        },
+        {
+          "ruleId": "java/regex-injection",
+          "rule": {
+            "id": "java/regex-injection",
+            "index": 41,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "level": "error",
+          "message": {
+            "text": "This regular expression is constructed from a [user-provided value](1)."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/util/Bannedwordslist.java",
+                  "index": 32
+                },
+                "region": {
+                  "startLine": 438,
+                  "startColumn": 48,
+                  "endLine": 438,
+                  "endColumn": 53
+                }
+              }
+            }
+          ],
+          "correlationGuid": "d8bfdf72-6bfc-410e-8a9f-acdb38e8d713",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "41fca1ccdb5c516f:1"
+          },
+          "codeFlows": [
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/WeblogConfig.java",
+                            "index": 33
+                          },
+                          "region": {
+                            "startLine": 55,
+                            "startColumn": 30,
+                            "endLine": 55,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "bean : WeblogConfigBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/WeblogConfig.java",
+                            "index": 33
+                          },
+                          "region": {
+                            "startLine": 204,
+                            "startColumn": 16,
+                            "endLine": 204,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "bean : WeblogConfigBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/WeblogConfig.java",
+                            "index": 33
+                          },
+                          "region": {
+                            "startLine": 195,
+                            "startColumn": 47,
+                            "endLine": 195,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "getBean(...) : WeblogConfigBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/WeblogConfigBean.java",
+                            "index": 34
+                          },
+                          "region": {
+                            "startLine": 101,
+                            "startColumn": 19,
+                            "endLine": 101,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogConfigBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/WeblogConfigBean.java",
+                            "index": 34
+                          },
+                          "region": {
+                            "startLine": 102,
+                            "startColumn": 16,
+                            "endLine": 102,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "this.bannedwordslist : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/WeblogConfig.java",
+                            "index": 33
+                          },
+                          "region": {
+                            "startLine": 195,
+                            "startColumn": 47,
+                            "endLine": 195,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "getBannedwordslist(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Bannedwordslist.java",
+                            "index": 32
+                          },
+                          "region": {
+                            "startLine": 427,
+                            "startColumn": 9,
+                            "endLine": 427,
+                            "endColumn": 31
+                          }
+                        },
+                        "message": {
+                          "text": "bannedwordslist : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Bannedwordslist.java",
+                            "index": 32
+                          },
+                          "region": {
+                            "startLine": 431,
+                            "startColumn": 53,
+                            "endLine": 431,
+                            "endColumn": 83
+                          }
+                        },
+                        "message": {
+                          "text": "... + ... : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Bannedwordslist.java",
+                            "index": 32
+                          },
+                          "region": {
+                            "startLine": 431,
+                            "startColumn": 33,
+                            "endLine": 431,
+                            "endColumn": 90
+                          }
+                        },
+                        "message": {
+                          "text": "new StringTokenizer(...) : StringTokenizer"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Bannedwordslist.java",
+                            "index": 32
+                          },
+                          "region": {
+                            "startLine": 433,
+                            "startColumn": 28,
+                            "endLine": 433,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "toker : StringTokenizer"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Bannedwordslist.java",
+                            "index": 32
+                          },
+                          "region": {
+                            "startLine": 433,
+                            "startColumn": 28,
+                            "endLine": 433,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "nextToken(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Bannedwordslist.java",
+                            "index": 32
+                          },
+                          "region": {
+                            "startLine": 433,
+                            "startColumn": 28,
+                            "endLine": 433,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "trim(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Bannedwordslist.java",
+                            "index": 32
+                          },
+                          "region": {
+                            "startLine": 438,
+                            "startColumn": 48,
+                            "endLine": 438,
+                            "endColumn": 53
+                          }
+                        },
+                        "message": {
+                          "text": "token"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/WeblogConfig.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 55,
+                  "startColumn": 30,
+                  "endLine": 55,
+                  "endColumn": 34
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/40",
+            "github/alertNumber": 40
+          }
+        },
+        {
+          "ruleId": "java/ssrf",
+          "rule": {
+            "id": "java/ssrf",
+            "index": 47,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "level": "error",
+          "message": {
+            "text": "Potential server-side request forgery due to a [user-provided value](1)."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/planet/business/fetcher/RomeFeedFetcher.java",
+                  "index": 35
+                },
+                "region": {
+                  "startLine": 230,
+                  "startColumn": 57,
+                  "endLine": 230,
+                  "endColumn": 72
+                }
+              }
+            }
+          ],
+          "correlationGuid": "9d0ad640-089c-4ee1-b3ed-dfbe72c4e5b1",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "248fddc681a75a01:1"
+          },
+          "codeFlows": [
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/planet/ui/PlanetGroupSubs.java",
+                            "index": 36
+                          },
+                          "region": {
+                            "startLine": 49,
+                            "startColumn": 20,
+                            "endLine": 49,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "subUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/planet/ui/PlanetGroupSubs.java",
+                            "index": 36
+                          },
+                          "region": {
+                            "startLine": 313,
+                            "startColumn": 16,
+                            "endLine": 313,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "subUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/planet/ui/PlanetGroupSubs.java",
+                            "index": 36
+                          },
+                          "region": {
+                            "startLine": 188,
+                            "startColumn": 53,
+                            "endLine": 188,
+                            "endColumn": 64
+                          }
+                        },
+                        "message": {
+                          "text": "getSubUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/planet/business/fetcher/RomeFeedFetcher.java",
+                            "index": 35
+                          },
+                          "region": {
+                            "startLine": 74,
+                            "startColumn": 43,
+                            "endLine": 74,
+                            "endColumn": 57
+                          }
+                        },
+                        "message": {
+                          "text": "feedURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/planet/business/fetcher/RomeFeedFetcher.java",
+                            "index": 35
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 34,
+                            "endLine": 75,
+                            "endColumn": 41
+                          }
+                        },
+                        "message": {
+                          "text": "feedURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/planet/business/fetcher/RomeFeedFetcher.java",
+                            "index": 35
+                          },
+                          "region": {
+                            "startLine": 83,
+                            "startColumn": 43,
+                            "endLine": 83,
+                            "endColumn": 57
+                          }
+                        },
+                        "message": {
+                          "text": "feedURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/planet/business/fetcher/RomeFeedFetcher.java",
+                            "index": 35
+                          },
+                          "region": {
+                            "startLine": 93,
+                            "startColumn": 30,
+                            "endLine": 93,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "feedURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/planet/business/fetcher/RomeFeedFetcher.java",
+                            "index": 35
+                          },
+                          "region": {
+                            "startLine": 228,
+                            "startColumn": 32,
+                            "endLine": 228,
+                            "endColumn": 42
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/planet/business/fetcher/RomeFeedFetcher.java",
+                            "index": 35
+                          },
+                          "region": {
+                            "startLine": 230,
+                            "startColumn": 68,
+                            "endLine": 230,
+                            "endColumn": 71
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/planet/business/fetcher/RomeFeedFetcher.java",
+                            "index": 35
+                          },
+                          "region": {
+                            "startLine": 230,
+                            "startColumn": 57,
+                            "endLine": 230,
+                            "endColumn": 72
+                          }
+                        },
+                        "message": {
+                          "text": "create(...)"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/planet/ui/PlanetGroupSubs.java",
+                            "index": 36
+                          },
+                          "region": {
+                            "startLine": 49,
+                            "startColumn": 20,
+                            "endLine": 49,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "subUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/planet/ui/PlanetGroupSubs.java",
+                            "index": 36
+                          },
+                          "region": {
+                            "startLine": 313,
+                            "startColumn": 16,
+                            "endLine": 313,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "subUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/planet/ui/PlanetGroupSubs.java",
+                            "index": 36
+                          },
+                          "region": {
+                            "startLine": 188,
+                            "startColumn": 53,
+                            "endLine": 188,
+                            "endColumn": 64
+                          }
+                        },
+                        "message": {
+                          "text": "getSubUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/planet/business/fetcher/RomeFeedFetcher.java",
+                            "index": 35
+                          },
+                          "region": {
+                            "startLine": 74,
+                            "startColumn": 43,
+                            "endLine": 74,
+                            "endColumn": 57
+                          }
+                        },
+                        "message": {
+                          "text": "feedURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/planet/business/fetcher/RomeFeedFetcher.java",
+                            "index": 35
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 34,
+                            "endLine": 75,
+                            "endColumn": 41
+                          }
+                        },
+                        "message": {
+                          "text": "feedURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/planet/business/WebloggerRomeFeedFetcher.java",
+                            "index": 37
+                          },
+                          "region": {
+                            "startLine": 63,
+                            "startColumn": 43,
+                            "endLine": 63,
+                            "endColumn": 57
+                          }
+                        },
+                        "message": {
+                          "text": "feedURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/planet/business/WebloggerRomeFeedFetcher.java",
+                            "index": 37
+                          },
+                          "region": {
+                            "startLine": 74,
+                            "startColumn": 44,
+                            "endLine": 74,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "feedURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/planet/business/fetcher/RomeFeedFetcher.java",
+                            "index": 35
+                          },
+                          "region": {
+                            "startLine": 83,
+                            "startColumn": 43,
+                            "endLine": 83,
+                            "endColumn": 57
+                          }
+                        },
+                        "message": {
+                          "text": "feedURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/planet/business/fetcher/RomeFeedFetcher.java",
+                            "index": 35
+                          },
+                          "region": {
+                            "startLine": 93,
+                            "startColumn": 30,
+                            "endLine": 93,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "feedURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/planet/business/fetcher/RomeFeedFetcher.java",
+                            "index": 35
+                          },
+                          "region": {
+                            "startLine": 228,
+                            "startColumn": 32,
+                            "endLine": 228,
+                            "endColumn": 42
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/planet/business/fetcher/RomeFeedFetcher.java",
+                            "index": 35
+                          },
+                          "region": {
+                            "startLine": 230,
+                            "startColumn": 68,
+                            "endLine": 230,
+                            "endColumn": 71
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/planet/business/fetcher/RomeFeedFetcher.java",
+                            "index": 35
+                          },
+                          "region": {
+                            "startLine": 230,
+                            "startColumn": 57,
+                            "endLine": 230,
+                            "endColumn": 72
+                          }
+                        },
+                        "message": {
+                          "text": "create(...)"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/planet/ui/PlanetGroupSubs.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 49,
+                  "startColumn": 20,
+                  "endLine": 49,
+                  "endColumn": 26
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/41",
+            "github/alertNumber": 41
+          }
+        },
+        {
+          "ruleId": "java/ssrf",
+          "rule": {
+            "id": "java/ssrf",
+            "index": 47,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "level": "error",
+          "message": {
+            "text": "Potential server-side request forgery due to a [user-provided value](1)."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/util/MediacastUtil.java",
+                  "index": 38
+                },
+                "region": {
+                  "startLine": 57,
+                  "startColumn": 57,
+                  "endLine": 57,
+                  "endColumn": 69
+                }
+              }
+            }
+          ],
+          "correlationGuid": "839215e6-bef4-4426-97bf-80d3555da65d",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "c240ab2d5b41ea5f:1"
+          },
+          "codeFlows": [
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 72,
+                            "startColumn": 23,
+                            "endLine": 72,
+                            "endColumn": 27
+                          }
+                        },
+                        "message": {
+                          "text": "bean : EntryBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 315,
+                            "startColumn": 16,
+                            "endLine": 315,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "bean : EntryBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 231,
+                            "startColumn": 49,
+                            "endLine": 231,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "getBean(...) : EntryBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryBean.java",
+                            "index": 39
+                          },
+                          "region": {
+                            "startLine": 223,
+                            "startColumn": 19,
+                            "endLine": 223,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : EntryBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryBean.java",
+                            "index": 39
+                          },
+                          "region": {
+                            "startLine": 224,
+                            "startColumn": 16,
+                            "endLine": 224,
+                            "endColumn": 28
+                          }
+                        },
+                        "message": {
+                          "text": "enclosureURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 231,
+                            "startColumn": 49,
+                            "endLine": 231,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "getEnclosureURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/MediacastUtil.java",
+                            "index": 38
+                          },
+                          "region": {
+                            "startLine": 48,
+                            "startColumn": 52,
+                            "endLine": 48,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/MediacastUtil.java",
+                            "index": 38
+                          },
+                          "region": {
+                            "startLine": 57,
+                            "startColumn": 65,
+                            "endLine": 57,
+                            "endColumn": 68
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/MediacastUtil.java",
+                            "index": 38
+                          },
+                          "region": {
+                            "startLine": 57,
+                            "startColumn": 57,
+                            "endLine": 57,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "new URL(...)"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 72,
+                  "startColumn": 23,
+                  "endLine": 72,
+                  "endColumn": 27
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/42",
+            "github/alertNumber": 42
+          }
+        },
+        {
+          "ruleId": "java/error-message-exposure",
+          "rule": {
+            "id": "java/error-message-exposure",
+            "index": 13,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "level": "error",
+          "message": {
+            "text": "[Error information](1) can be exposed to an external user."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/rendering/servlets/TrackbackServlet.java",
+                  "index": 40
+                },
+                "region": {
+                  "startLine": 147,
+                  "startColumn": 24,
+                  "endLine": 147,
+                  "endColumn": 52
+                }
+              }
+            }
+          ],
+          "correlationGuid": "d722e768-31a0-417b-9b87-847c29a58084",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "7c1f69188f18e239:1"
+          },
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/rendering/servlets/TrackbackServlet.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 142,
+                  "startColumn": 25,
+                  "endLine": 142,
+                  "endColumn": 39
+                }
+              },
+              "message": {
+                "text": "Error information"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/43",
+            "github/alertNumber": 43
+          }
+        },
+        {
+          "ruleId": "java/error-message-exposure",
+          "rule": {
+            "id": "java/error-message-exposure",
+            "index": 13,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "level": "error",
+          "message": {
+            "text": "[Error information](1) can be exposed to an external user.\n[Error information](2) can be exposed to an external user."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/rendering/servlets/TrackbackServlet.java",
+                  "index": 40
+                },
+                "region": {
+                  "startLine": 221,
+                  "startColumn": 24,
+                  "endLine": 221,
+                  "endColumn": 52
+                }
+              }
+            }
+          ],
+          "correlationGuid": "4df5ee6f-b915-488c-ba43-35a70984f360",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "517a7a49b664a801:1"
+          },
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/rendering/servlets/TrackbackServlet.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 142,
+                  "startColumn": 25,
+                  "endLine": 142,
+                  "endColumn": 39
+                }
+              },
+              "message": {
+                "text": "Error information"
+              }
+            },
+            {
+              "id": 2,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/rendering/servlets/TrackbackServlet.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 214,
+                  "startColumn": 21,
+                  "endLine": 214,
+                  "endColumn": 35
+                }
+              },
+              "message": {
+                "text": "Error information"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/44",
+            "github/alertNumber": 44
+          }
+        }
+      ],
+      "automationDetails": {
+        "id": ".github/workflows/codeql-analysis.yml:analyze/language:java/"
+      },
+      "properties": {
+        "codeqlConfigSummary": {}
+      }
+    }
+  ]
+}
diff --git a/core-codemods/src/test/resources/codeql-xss/CalendarTag.java.after b/core-codemods/src/test/resources/codeql-xss/CalendarTag.java.after
new file mode 100644
index 000000000..4a450c66e
--- /dev/null
+++ b/core-codemods/src/test/resources/codeql-xss/CalendarTag.java.after
@@ -0,0 +1,377 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ *  contributor license agreements.  The ASF licenses this file to You
+ * under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.  For additional information regarding
+ * copyright in this work, please see the NOTICE file in the top level
+ * directory of this distribution.
+ */
+
+package org.apache.roller.weblogger.ui.core.tags.calendar;
+
+import org.apache.commons.beanutils.PropertyUtils;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.roller.util.DateUtil;
+
+import java.io.PrintWriter;
+import java.io.StringWriter;
+import java.text.SimpleDateFormat;
+import java.util.Calendar;
+import java.util.Date;
+import java.util.Locale;
+import java.util.ResourceBundle;
+import java.util.StringTokenizer;
+
+import javax.servlet.jsp.JspException;
+import javax.servlet.jsp.tagext.Tag;
+import javax.servlet.jsp.tagext.TagSupport;
+import org.owasp.encoder.Encode;
+
+
+/**
+ * Calendar tag.
+ * @jsp.tag name="Calendar"
+ */
+public class CalendarTag extends TagSupport {
+    private static Log mLogger =
+            LogFactory.getFactory().getInstance(CalendarTag.class);
+
+    private Locale mLocale = Locale.getDefault();
+
+    // JSP Attributes
+
+    /** @jsp.attribute required="true" */
+    public String getName() { return mName; }
+    public void setName( String name ) { mName = name; }
+    private String mName = null;
+
+    /* @jsp.attribute description="Date in yyyyMMdd format"
+    public String getDate() { return mDate; }
+    public void setDate( String s ) { mDate = s; }
+    private String mDate = null;
+     */
+
+    /** @jsp.attribute */
+    public String getModel() { return mModelName; }
+    public void setModel( String s ) { mModelName= s; }
+    private String mModelName = null;
+
+    /** @jsp.attribute */
+    public String getClassSuffix() { return mClassSuffix; }
+    public void setClassSuffix( String s ) { mClassSuffix= s; }
+    private String mClassSuffix = "";
+
+    // not a tag attribute
+    public void setLocale(Locale locale) {
+        if (locale != null) {
+            mLocale = locale;
+        }
+    }
+
+    // not a tag attribute
+    /*
+    private TimeZone mTimeZone = TimeZone.getDefault();
+    public void setTimeZone(TimeZone zone) {
+        if (zone != null)
+            mTimeZone = zone;
+    }
+    private TimeZone getTimeZone()
+    {
+        // I've seen TimeZone.getDefault() return null. -Lance
+        if (mTimeZone == null)
+            mTimeZone = TimeZone.getTimeZone("America/New_York");
+        return mTimeZone;
+    }
+     */
+
+    private String[] mDayNames = null;
+
+    public CalendarTag() {
+        /*
+         * Empty constructor.
+         *
+         * Used to build the day names, but the correct locale
+         * was not set at this stage. Day-name-building has moved to the
+         * doStartTag() method.
+         */
+    }
+
+    //------------------------------------------------------------------------
+    /**
+     * Write to a PrintWriter so that tag may be used from Velocity
+     */
+    public int doStartTag( PrintWriter pw ) throws JspException {
+        try {
+            // build week day names
+            this.buildDayNames();
+
+            // day to be displayed
+            Date day;
+            // set to day to be displayed
+            Calendar dayCal;
+            // for iterating through days of month
+            Calendar cal;
+            // for iterating through days of month
+            Calendar todayCal;
+            // the calendar model
+            CalendarModel model;
+
+            // ---------------------------------
+            // --- initialize date variables ---
+            // ---------------------------------
+
+            // check for parameter map and target url
+            StringTokenizer toker = new StringTokenizer(mModelName,".");
+            String tok1 = toker.nextToken();
+            if (toker.hasMoreTokens()) {
+                String tok2 = toker.nextToken();
+                Object bean = pageContext.findAttribute(tok1);
+                model = (CalendarModel)PropertyUtils.getProperty(bean, tok2);
+            } else {
+                model = (CalendarModel)pageContext.findAttribute( mModelName );
+            }
+
+            // no model specified, nothing to generate
+            if (model == null) {
+                return SKIP_BODY;
+            }
+
+            day = model.getDay();
+
+            // ceate object to represent today
+            todayCal = model.getCalendar();
+            todayCal.setTime( new Date() );
+
+            // get Resource Bundle
+            ResourceBundle bundle = ResourceBundle.getBundle("ApplicationResources", mLocale);
+
+            // formatter Month-Year title of calendar
+            SimpleDateFormat formatTitle = new SimpleDateFormat(bundle.getString("calendar.dateFormat"), mLocale);
+            formatTitle.setTimeZone(todayCal.getTimeZone());
+
+            // go back to first day in month
+            cal = model.getCalendar();
+            day = DateUtil.getNoonOfDay(day, cal);
+            cal.set( Calendar.DAY_OF_MONTH, cal.getMinimum(Calendar.DAY_OF_MONTH) );
+
+            // Go back to first day of week before that (Sunday in US, Monday in France, e.g.)
+            // in the calendar
+            while ( cal.get( Calendar.DAY_OF_WEEK ) != cal.getFirstDayOfWeek() ) {
+                cal.add( Calendar.DATE, -1 );
+            }
+
+            // create table of 5 weeks, 7 days per row
+            dayCal = model.getCalendar();
+            dayCal.setTime( day );
+
+            // -------------------------
+            // --- draw the calendar ---
+            // -------------------------
+            pw.print("");
+            pw.print("");
+            pw.print("");
+
+            // emit the HTML calendar
+            for ( int w=-1; w<6; w++ ) {
+                pw.print("");
+                for ( int d=0; d<7; d++ ) {
+                    if ( w == -1 ) {
+                        pw.print(
+                                "");
+                        continue;
+                    }
+
+                    // determine URL for this calendar day
+                    Date tddate = cal.getTime();
+                    String url = model.computeUrl(tddate, false, false);
+                    String content = model.getContent( tddate );
+
+                    // day is in calendar month
+                    if ((cal.get(Calendar.MONTH) == dayCal.get(Calendar.MONTH))
+                            && (cal.get(Calendar.YEAR) == dayCal.get(Calendar.YEAR))) {
+                        // day is today then use today style
+                        if ((          cal.get(Calendar.DAY_OF_MONTH)
+                                == todayCal.get(Calendar.DAY_OF_MONTH))
+                                && (        cal.get(Calendar.MONTH)
+                                == todayCal.get(Calendar.MONTH))
+                                && (        cal.get(Calendar.YEAR)
+                                == todayCal.get(Calendar.YEAR))) {
+                            printToday(pw, cal, url, content);
+                        } else {
+                            printDayInThisMonth(pw, cal, url, content);
+                        }
+                    } else {
+                        // apply day-not-in-month style ;-)
+                        printDayNotInMonth(pw, cal);
+                    }
+
+                    // increment calendar by one day
+                    cal.add( Calendar.DATE, 1 );
+                }
+                pw.print("");
+            }
+
+            pw.print("");
+            pw.print("");
+            pw.print("");
+
+            pw.print("
");
+            if (model.getPrevMonth() != null) {
+                pw.print("« ");
+            }
+            pw.print( formatTitle.format(day) );
+            if (model.getNextMonth() != null) {
+                pw.print(" »");
+            }
+            pw.print("
");
+                        pw.print( mDayNames[d] );
+                        pw.print("
");
+
+            pw.print(""
+                    +bundle.getString("calendar.today")
+                    +"");
+
+            pw.print("
");
+        } catch (Exception e) {
+            pw.print("");
+            pw.print("
An ERROR has occured CalendarTag
");
+            pw.print("");
+            mLogger.error("Calendar tag exception",e);
+        }
+        return Tag.SKIP_BODY;
+    }
+
+    private void printDayNotInMonth(PrintWriter pw, Calendar cal) {
+        pw.print("");
+        //pw.print(cal.get(Calendar.DAY_OF_MONTH));
+        pw.print(" ");
+        pw.print("");
+    }
+
+    private void printDayInThisMonth(PrintWriter pw, Calendar cal, String url, String content) {
+        if ( content!=null ) {
+            pw.print("");
+            pw.print( Encode.forHtml(content) );
+            pw.print("");
+        } else if (url!=null) {
+            pw.print("");
+            pw.print("
");
+            pw.print("");
+            pw.print(cal.get(Calendar.DAY_OF_MONTH));
+            pw.print("
");
+            pw.print("");
+        } else {
+            pw.print("");
+            pw.print("
");
+            pw.print(cal.get(Calendar.DAY_OF_MONTH));
+            pw.print("
");
+            pw.print("");
+        }
+    }
+
+    private void printToday(PrintWriter pw, Calendar cal, String url, String content) {
+        if ( content!=null ) {
+            pw.print("");
+            pw.print( Encode.forHtml(content) );
+            pw.print("");
+        } else if (url!=null) {
+            pw.print("");
+            pw.print("");
+            pw.print(cal.get(Calendar.DAY_OF_MONTH));
+            pw.print("");
+            pw.print("");
+        } else {
+            pw.print("");
+            pw.print("
");
+            pw.print(cal.get(Calendar.DAY_OF_MONTH));
+            pw.print("
");
+        }
+    }
+
+    /**
+     * Helper method to build the names of the weekdays. This
+     * used to take place in the CalendarTag constructor,
+     * but there, mLocale doesn't have the correct value yet.
+     */
+    private void buildDayNames() {
+        // build array of names of days of week
+        mDayNames = new String[7];
+        Calendar dayNameCal = Calendar.getInstance(mLocale);
+        SimpleDateFormat dayFormatter = new SimpleDateFormat("EEE", mLocale);
+        dayNameCal.set(Calendar.DAY_OF_WEEK, dayNameCal.getFirstDayOfWeek());
+        for (int dnum = 0; dnum < 7; dnum++) {
+            mDayNames[dnum] = dayFormatter.format(dayNameCal.getTime());
+            dayNameCal.add(Calendar.DATE, 1);
+        }
+    }
+
+
+    @Override
+    public String toString() {
+        String ret = null;
+        try {
+            StringWriter sw = new StringWriter();
+            doStartTag( new PrintWriter( sw, true ));
+            // See, design precludes contents
+            doEndTag( new PrintWriter( sw, true ));
+            ret = sw.toString();
+        } catch (Exception e) {
+            ret = "Exception in tag";
+            mLogger.error(ret,e);
+        }
+        return ret;
+    }
+
+    public String emit() {
+        return toString();
+    }
+
+    @Override
+    public int doStartTag() throws JspException {
+        return doStartTag( new PrintWriter( pageContext.getOut(), true) );
+    }
+
+
+    @Override
+    public int doEndTag() throws JspException {
+        return doEndTag( new PrintWriter( pageContext.getOut(), true) );
+    }
+
+    /** Default processing of the end tag returning EVAL_PAGE. */
+    public int doEndTag( PrintWriter pw ) throws JspException {
+        return EVAL_PAGE;
+    }
+
+}
diff --git a/core-codemods/src/test/resources/codeql-xss/CalendarTag.java.before b/core-codemods/src/test/resources/codeql-xss/CalendarTag.java.before
new file mode 100644
index 000000000..bdbbfecd5
--- /dev/null
+++ b/core-codemods/src/test/resources/codeql-xss/CalendarTag.java.before
@@ -0,0 +1,376 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ *  contributor license agreements.  The ASF licenses this file to You
+ * under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.  For additional information regarding
+ * copyright in this work, please see the NOTICE file in the top level
+ * directory of this distribution.
+ */
+
+package org.apache.roller.weblogger.ui.core.tags.calendar;
+
+import org.apache.commons.beanutils.PropertyUtils;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.roller.util.DateUtil;
+
+import java.io.PrintWriter;
+import java.io.StringWriter;
+import java.text.SimpleDateFormat;
+import java.util.Calendar;
+import java.util.Date;
+import java.util.Locale;
+import java.util.ResourceBundle;
+import java.util.StringTokenizer;
+
+import javax.servlet.jsp.JspException;
+import javax.servlet.jsp.tagext.Tag;
+import javax.servlet.jsp.tagext.TagSupport;
+
+
+/**
+ * Calendar tag.
+ * @jsp.tag name="Calendar"
+ */
+public class CalendarTag extends TagSupport {
+    private static Log mLogger =
+            LogFactory.getFactory().getInstance(CalendarTag.class);
+
+    private Locale mLocale = Locale.getDefault();
+
+    // JSP Attributes
+
+    /** @jsp.attribute required="true" */
+    public String getName() { return mName; }
+    public void setName( String name ) { mName = name; }
+    private String mName = null;
+
+    /* @jsp.attribute description="Date in yyyyMMdd format"
+    public String getDate() { return mDate; }
+    public void setDate( String s ) { mDate = s; }
+    private String mDate = null;
+     */
+
+    /** @jsp.attribute */
+    public String getModel() { return mModelName; }
+    public void setModel( String s ) { mModelName= s; }
+    private String mModelName = null;
+
+    /** @jsp.attribute */
+    public String getClassSuffix() { return mClassSuffix; }
+    public void setClassSuffix( String s ) { mClassSuffix= s; }
+    private String mClassSuffix = "";
+
+    // not a tag attribute
+    public void setLocale(Locale locale) {
+        if (locale != null) {
+            mLocale = locale;
+        }
+    }
+
+    // not a tag attribute
+    /*
+    private TimeZone mTimeZone = TimeZone.getDefault();
+    public void setTimeZone(TimeZone zone) {
+        if (zone != null)
+            mTimeZone = zone;
+    }
+    private TimeZone getTimeZone()
+    {
+        // I've seen TimeZone.getDefault() return null. -Lance
+        if (mTimeZone == null)
+            mTimeZone = TimeZone.getTimeZone("America/New_York");
+        return mTimeZone;
+    }
+     */
+
+    private String[] mDayNames = null;
+
+    public CalendarTag() {
+        /*
+         * Empty constructor.
+         *
+         * Used to build the day names, but the correct locale
+         * was not set at this stage. Day-name-building has moved to the
+         * doStartTag() method.
+         */
+    }
+
+    //------------------------------------------------------------------------
+    /**
+     * Write to a PrintWriter so that tag may be used from Velocity
+     */
+    public int doStartTag( PrintWriter pw ) throws JspException {
+        try {
+            // build week day names
+            this.buildDayNames();
+
+            // day to be displayed
+            Date day;
+            // set to day to be displayed
+            Calendar dayCal;
+            // for iterating through days of month
+            Calendar cal;
+            // for iterating through days of month
+            Calendar todayCal;
+            // the calendar model
+            CalendarModel model;
+
+            // ---------------------------------
+            // --- initialize date variables ---
+            // ---------------------------------
+
+            // check for parameter map and target url
+            StringTokenizer toker = new StringTokenizer(mModelName,".");
+            String tok1 = toker.nextToken();
+            if (toker.hasMoreTokens()) {
+                String tok2 = toker.nextToken();
+                Object bean = pageContext.findAttribute(tok1);
+                model = (CalendarModel)PropertyUtils.getProperty(bean, tok2);
+            } else {
+                model = (CalendarModel)pageContext.findAttribute( mModelName );
+            }
+
+            // no model specified, nothing to generate
+            if (model == null) {
+                return SKIP_BODY;
+            }
+
+            day = model.getDay();
+
+            // ceate object to represent today
+            todayCal = model.getCalendar();
+            todayCal.setTime( new Date() );
+
+            // get Resource Bundle
+            ResourceBundle bundle = ResourceBundle.getBundle("ApplicationResources", mLocale);
+
+            // formatter Month-Year title of calendar
+            SimpleDateFormat formatTitle = new SimpleDateFormat(bundle.getString("calendar.dateFormat"), mLocale);
+            formatTitle.setTimeZone(todayCal.getTimeZone());
+
+            // go back to first day in month
+            cal = model.getCalendar();
+            day = DateUtil.getNoonOfDay(day, cal);
+            cal.set( Calendar.DAY_OF_MONTH, cal.getMinimum(Calendar.DAY_OF_MONTH) );
+
+            // Go back to first day of week before that (Sunday in US, Monday in France, e.g.)
+            // in the calendar
+            while ( cal.get( Calendar.DAY_OF_WEEK ) != cal.getFirstDayOfWeek() ) {
+                cal.add( Calendar.DATE, -1 );
+            }
+
+            // create table of 5 weeks, 7 days per row
+            dayCal = model.getCalendar();
+            dayCal.setTime( day );
+
+            // -------------------------
+            // --- draw the calendar ---
+            // -------------------------
+            pw.print("");
+            pw.print("");
+            pw.print("");
+
+            // emit the HTML calendar
+            for ( int w=-1; w<6; w++ ) {
+                pw.print("");
+                for ( int d=0; d<7; d++ ) {
+                    if ( w == -1 ) {
+                        pw.print(
+                                "");
+                        continue;
+                    }
+
+                    // determine URL for this calendar day
+                    Date tddate = cal.getTime();
+                    String url = model.computeUrl(tddate, false, false);
+                    String content = model.getContent( tddate );
+
+                    // day is in calendar month
+                    if ((cal.get(Calendar.MONTH) == dayCal.get(Calendar.MONTH))
+                            && (cal.get(Calendar.YEAR) == dayCal.get(Calendar.YEAR))) {
+                        // day is today then use today style
+                        if ((          cal.get(Calendar.DAY_OF_MONTH)
+                                == todayCal.get(Calendar.DAY_OF_MONTH))
+                                && (        cal.get(Calendar.MONTH)
+                                == todayCal.get(Calendar.MONTH))
+                                && (        cal.get(Calendar.YEAR)
+                                == todayCal.get(Calendar.YEAR))) {
+                            printToday(pw, cal, url, content);
+                        } else {
+                            printDayInThisMonth(pw, cal, url, content);
+                        }
+                    } else {
+                        // apply day-not-in-month style ;-)
+                        printDayNotInMonth(pw, cal);
+                    }
+
+                    // increment calendar by one day
+                    cal.add( Calendar.DATE, 1 );
+                }
+                pw.print("");
+            }
+
+            pw.print("");
+            pw.print("");
+            pw.print("");
+
+            pw.print("
");
+            if (model.getPrevMonth() != null) {
+                pw.print("« ");
+            }
+            pw.print( formatTitle.format(day) );
+            if (model.getNextMonth() != null) {
+                pw.print(" »");
+            }
+            pw.print("
");
+                        pw.print( mDayNames[d] );
+                        pw.print("
");
+
+            pw.print(""
+                    +bundle.getString("calendar.today")
+                    +"");
+
+            pw.print("
");
+        } catch (Exception e) {
+            pw.print("");
+            pw.print("
An ERROR has occured CalendarTag
");
+            pw.print("");
+            mLogger.error("Calendar tag exception",e);
+        }
+        return Tag.SKIP_BODY;
+    }
+
+    private void printDayNotInMonth(PrintWriter pw, Calendar cal) {
+        pw.print("");
+        //pw.print(cal.get(Calendar.DAY_OF_MONTH));
+        pw.print(" ");
+        pw.print("");
+    }
+
+    private void printDayInThisMonth(PrintWriter pw, Calendar cal, String url, String content) {
+        if ( content!=null ) {
+            pw.print("");
+            pw.print( content );
+            pw.print("");
+        } else if (url!=null) {
+            pw.print("");
+            pw.print("
");
+            pw.print("");
+            pw.print(cal.get(Calendar.DAY_OF_MONTH));
+            pw.print("
");
+            pw.print("");
+        } else {
+            pw.print("");
+            pw.print("
");
+            pw.print(cal.get(Calendar.DAY_OF_MONTH));
+            pw.print("
");
+            pw.print("");
+        }
+    }
+
+    private void printToday(PrintWriter pw, Calendar cal, String url, String content) {
+        if ( content!=null ) {
+            pw.print("");
+            pw.print( content );
+            pw.print("");
+        } else if (url!=null) {
+            pw.print("");
+            pw.print("");
+            pw.print(cal.get(Calendar.DAY_OF_MONTH));
+            pw.print("");
+            pw.print("");
+        } else {
+            pw.print("");
+            pw.print("
");
+            pw.print(cal.get(Calendar.DAY_OF_MONTH));
+            pw.print("
");
+        }
+    }
+
+    /**
+     * Helper method to build the names of the weekdays. This
+     * used to take place in the CalendarTag constructor,
+     * but there, mLocale doesn't have the correct value yet.
+     */
+    private void buildDayNames() {
+        // build array of names of days of week
+        mDayNames = new String[7];
+        Calendar dayNameCal = Calendar.getInstance(mLocale);
+        SimpleDateFormat dayFormatter = new SimpleDateFormat("EEE", mLocale);
+        dayNameCal.set(Calendar.DAY_OF_WEEK, dayNameCal.getFirstDayOfWeek());
+        for (int dnum = 0; dnum < 7; dnum++) {
+            mDayNames[dnum] = dayFormatter.format(dayNameCal.getTime());
+            dayNameCal.add(Calendar.DATE, 1);
+        }
+    }
+
+
+    @Override
+    public String toString() {
+        String ret = null;
+        try {
+            StringWriter sw = new StringWriter();
+            doStartTag( new PrintWriter( sw, true ));
+            // See, design precludes contents
+            doEndTag( new PrintWriter( sw, true ));
+            ret = sw.toString();
+        } catch (Exception e) {
+            ret = "Exception in tag";
+            mLogger.error(ret,e);
+        }
+        return ret;
+    }
+
+    public String emit() {
+        return toString();
+    }
+
+    @Override
+    public int doStartTag() throws JspException {
+        return doStartTag( new PrintWriter( pageContext.getOut(), true) );
+    }
+
+
+    @Override
+    public int doEndTag() throws JspException {
+        return doEndTag( new PrintWriter( pageContext.getOut(), true) );
+    }
+
+    /** Default processing of the end tag returning EVAL_PAGE. */
+    public int doEndTag( PrintWriter pw ) throws JspException {
+        return EVAL_PAGE;
+    }
+
+}
diff --git a/core-codemods/src/test/resources/codeql-xss/out.sarif b/core-codemods/src/test/resources/codeql-xss/out.sarif
new file mode 100644
index 000000000..3879d8f42
--- /dev/null
+++ b/core-codemods/src/test/resources/codeql-xss/out.sarif
@@ -0,0 +1,51061 @@
+{
+  "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
+  "version": "2.1.0",
+  "runs": [
+    {
+      "tool": {
+        "driver": {
+          "name": "CodeQL",
+          "semanticVersion": "2.19.3"
+        },
+        "extensions": [
+          {
+            "name": "codeql/java-queries",
+            "semanticVersion": "1.1.8+39a67b6e2e6490a9bd010db50e148f647765e9f7",
+            "rules": [
+              {
+                "id": "java/android/debuggable-attribute-enabled",
+                "name": "java/android/debuggable-attribute-enabled",
+                "shortDescription": {
+                  "text": "Android debuggable attribute enabled"
+                },
+                "fullDescription": {
+                  "text": "An enabled debugger can allow for entry points in the application or reveal sensitive information."
+                },
+                "defaultConfiguration": {},
+                "help": {
+                  "text": "# Android debuggable attribute enabled\nThe Android manifest file defines configuration settings for Android applications. In this file, the `android:debuggable` attribute of the `application` element can be used to define whether or not the application can be debugged. When set to `true`, this attribute will allow the application to be debugged even when running on a device in user mode.\n\nWhen a debugger is enabled, it could allow for entry points in the application or reveal sensitive information. As a result, `android:debuggable` should only be enabled during development and should be disabled in production builds.\n\n\n## Recommendation\nIn Android applications, either set the `android:debuggable` attribute to `false`, or do not include it in the manifest. The default value, when not included, is `false`.\n\n\n## Example\nIn the example below, the `android:debuggable` attribute is set to `true`.\n\n\n```xml\n\n    \n    \n        \n        \n    \n\n\n```\nThe corrected version sets the `android:debuggable` attribute to `false`.\n\n\n```xml\n\n    \n    \n        \n        \n    \n\n\n```\n\n## References\n* Android Developers: [App Manifest Overview](https://developer.android.com/guide/topics/manifest/manifest-intro).\n* Android Developers: [The android:debuggable attribute](https://developer.android.com/guide/topics/manifest/application-element#debug).\n* Android Developers: [Enable debugging](https://developer.android.com/studio/debug#enable-debug).\n* Common Weakness Enumeration: [CWE-489](https://cwe.mitre.org/data/definitions/489.html).\n",
+                  "markdown": "# Android debuggable attribute enabled\nThe Android manifest file defines configuration settings for Android applications. In this file, the `android:debuggable` attribute of the `application` element can be used to define whether or not the application can be debugged. When set to `true`, this attribute will allow the application to be debugged even when running on a device in user mode.\n\nWhen a debugger is enabled, it could allow for entry points in the application or reveal sensitive information. As a result, `android:debuggable` should only be enabled during development and should be disabled in production builds.\n\n\n## Recommendation\nIn Android applications, either set the `android:debuggable` attribute to `false`, or do not include it in the manifest. The default value, when not included, is `false`.\n\n\n## Example\nIn the example below, the `android:debuggable` attribute is set to `true`.\n\n\n```xml\n\n    \n    \n        \n        \n    \n\n\n```\nThe corrected version sets the `android:debuggable` attribute to `false`.\n\n\n```xml\n\n    \n    \n        \n        \n    \n\n\n```\n\n## References\n* Android Developers: [App Manifest Overview](https://developer.android.com/guide/topics/manifest/manifest-intro).\n* Android Developers: [The android:debuggable attribute](https://developer.android.com/guide/topics/manifest/application-element#debug).\n* Android Developers: [Enable debugging](https://developer.android.com/studio/debug#enable-debug).\n* Common Weakness Enumeration: [CWE-489](https://cwe.mitre.org/data/definitions/489.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-489",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-489/DebuggableAttributeEnabled.ql",
+                  "precision": "very-high",
+                  "security-severity": "7.2"
+                }
+              },
+              {
+                "id": "java/android/fragment-injection",
+                "name": "java/android/fragment-injection",
+                "shortDescription": {
+                  "text": "Android fragment injection"
+                },
+                "fullDescription": {
+                  "text": "Instantiating an Android fragment from a user-provided value may allow a malicious application to bypass access controls, exposing the application to unintended effects."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Android fragment injection\nWhen fragments are instantiated with externally provided names, this exposes any exported activity that dynamically creates and hosts the fragment to fragment injection. A malicious application could provide the name of an arbitrary fragment, even one not designed to be externally accessible, and inject it into the activity. This can bypass access controls and expose the application to unintended effects.\n\nFragments are reusable parts of an Android application's user interface. Even though a fragment controls its own lifecycle and layout, and handles its input events, it cannot exist on its own: it must be hosted either by an activity or another fragment. This means that, normally, a fragment will be accessible by third-party applications (that is, exported) only if its hosting activity is itself exported.\n\n\n## Recommendation\nIn general, do not instantiate classes (including fragments) with user-provided names unless the name has been properly validated. Also, if an exported activity is extending the `PreferenceActivity` class, make sure that the `isValidFragment` method is overriden and only returns `true` when the provided `fragmentName` points to an intended fragment.\n\n\n## Example\nThe following example shows two cases: in the first one, untrusted data is used to instantiate and add a fragment to an activity, while in the second one, a fragment is safely added with a static name.\n\n\n```java\npublic class MyActivity extends FragmentActivity {\n\n    @Override\n    protected void onCreate(Bundle savedInstance) {\n        try {\n            super.onCreate(savedInstance);\n            // BAD: Fragment instantiated from user input without validation\n            {\n                String fName = getIntent().getStringExtra(\"fragmentName\");\n                getFragmentManager().beginTransaction().replace(com.android.internal.R.id.prefs,\n                        Fragment.instantiate(this, fName, null)).commit();\n            }\n            // GOOD: Fragment instantiated statically\n            {\n                getFragmentManager().beginTransaction()\n                        .replace(com.android.internal.R.id.prefs, new MyFragment()).commit();\n            }\n        } catch (Exception e) {\n        }\n    }\n\n}\n\n```\nThe next example shows two activities that extend `PreferenceActivity`. The first activity overrides `isValidFragment`, but it wrongly returns `true` unconditionally. The second activity correctly overrides `isValidFragment` so that it only returns `true` when `fragmentName` is a trusted fragment name.\n\n\n```java\nclass UnsafeActivity extends PreferenceActivity {\n\n    @Override\n    protected boolean isValidFragment(String fragmentName) {\n        // BAD: any Fragment name can be provided.\n        return true;\n    }\n}\n\n\nclass SafeActivity extends PreferenceActivity {\n    @Override\n    protected boolean isValidFragment(String fragmentName) {\n        // Good: only trusted Fragment names are allowed.\n        return SafeFragment1.class.getName().equals(fragmentName)\n                || SafeFragment2.class.getName().equals(fragmentName)\n                || SafeFragment3.class.getName().equals(fragmentName);\n    }\n\n}\n\n\n```\n\n## References\n* Google Help: [How to fix Fragment Injection vulnerability](https://support.google.com/faqs/answer/7188427?hl=en).\n* IBM Security Systems: [Android collapses into Fragments](https://securityintelligence.com/wp-content/uploads/2013/12/android-collapses-into-fragments.pdf).\n* Android Developers: [Fragments](https://developer.android.com/guide/fragments)\n* Common Weakness Enumeration: [CWE-470](https://cwe.mitre.org/data/definitions/470.html).\n",
+                  "markdown": "# Android fragment injection\nWhen fragments are instantiated with externally provided names, this exposes any exported activity that dynamically creates and hosts the fragment to fragment injection. A malicious application could provide the name of an arbitrary fragment, even one not designed to be externally accessible, and inject it into the activity. This can bypass access controls and expose the application to unintended effects.\n\nFragments are reusable parts of an Android application's user interface. Even though a fragment controls its own lifecycle and layout, and handles its input events, it cannot exist on its own: it must be hosted either by an activity or another fragment. This means that, normally, a fragment will be accessible by third-party applications (that is, exported) only if its hosting activity is itself exported.\n\n\n## Recommendation\nIn general, do not instantiate classes (including fragments) with user-provided names unless the name has been properly validated. Also, if an exported activity is extending the `PreferenceActivity` class, make sure that the `isValidFragment` method is overriden and only returns `true` when the provided `fragmentName` points to an intended fragment.\n\n\n## Example\nThe following example shows two cases: in the first one, untrusted data is used to instantiate and add a fragment to an activity, while in the second one, a fragment is safely added with a static name.\n\n\n```java\npublic class MyActivity extends FragmentActivity {\n\n    @Override\n    protected void onCreate(Bundle savedInstance) {\n        try {\n            super.onCreate(savedInstance);\n            // BAD: Fragment instantiated from user input without validation\n            {\n                String fName = getIntent().getStringExtra(\"fragmentName\");\n                getFragmentManager().beginTransaction().replace(com.android.internal.R.id.prefs,\n                        Fragment.instantiate(this, fName, null)).commit();\n            }\n            // GOOD: Fragment instantiated statically\n            {\n                getFragmentManager().beginTransaction()\n                        .replace(com.android.internal.R.id.prefs, new MyFragment()).commit();\n            }\n        } catch (Exception e) {\n        }\n    }\n\n}\n\n```\nThe next example shows two activities that extend `PreferenceActivity`. The first activity overrides `isValidFragment`, but it wrongly returns `true` unconditionally. The second activity correctly overrides `isValidFragment` so that it only returns `true` when `fragmentName` is a trusted fragment name.\n\n\n```java\nclass UnsafeActivity extends PreferenceActivity {\n\n    @Override\n    protected boolean isValidFragment(String fragmentName) {\n        // BAD: any Fragment name can be provided.\n        return true;\n    }\n}\n\n\nclass SafeActivity extends PreferenceActivity {\n    @Override\n    protected boolean isValidFragment(String fragmentName) {\n        // Good: only trusted Fragment names are allowed.\n        return SafeFragment1.class.getName().equals(fragmentName)\n                || SafeFragment2.class.getName().equals(fragmentName)\n                || SafeFragment3.class.getName().equals(fragmentName);\n    }\n\n}\n\n\n```\n\n## References\n* Google Help: [How to fix Fragment Injection vulnerability](https://support.google.com/faqs/answer/7188427?hl=en).\n* IBM Security Systems: [Android collapses into Fragments](https://securityintelligence.com/wp-content/uploads/2013/12/android-collapses-into-fragments.pdf).\n* Android Developers: [Fragments](https://developer.android.com/guide/fragments)\n* Common Weakness Enumeration: [CWE-470](https://cwe.mitre.org/data/definitions/470.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-470",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-470/FragmentInjection.ql",
+                  "precision": "high",
+                  "security-severity": "9.8"
+                }
+              },
+              {
+                "id": "java/android/fragment-injection-preference-activity",
+                "name": "java/android/fragment-injection-preference-activity",
+                "shortDescription": {
+                  "text": "Android fragment injection in PreferenceActivity"
+                },
+                "fullDescription": {
+                  "text": "An insecure implementation of the 'isValidFragment' method of the 'PreferenceActivity' class may allow a malicious application to bypass access controls, exposing the application to unintended effects."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Android fragment injection in PreferenceActivity\nWhen fragments are instantiated with externally provided names, this exposes any exported activity that dynamically creates and hosts the fragment to fragment injection. A malicious application could provide the name of an arbitrary fragment, even one not designed to be externally accessible, and inject it into the activity. This can bypass access controls and expose the application to unintended effects.\n\nFragments are reusable parts of an Android application's user interface. Even though a fragment controls its own lifecycle and layout, and handles its input events, it cannot exist on its own: it must be hosted either by an activity or another fragment. This means that, normally, a fragment will be accessible by third-party applications (that is, exported) only if its hosting activity is itself exported.\n\n\n## Recommendation\nIn general, do not instantiate classes (including fragments) with user-provided names unless the name has been properly validated. Also, if an exported activity is extending the `PreferenceActivity` class, make sure that the `isValidFragment` method is overriden and only returns `true` when the provided `fragmentName` points to an intended fragment.\n\n\n## Example\nThe following example shows two cases: in the first one, untrusted data is used to instantiate and add a fragment to an activity, while in the second one, a fragment is safely added with a static name.\n\n\n```java\npublic class MyActivity extends FragmentActivity {\n\n    @Override\n    protected void onCreate(Bundle savedInstance) {\n        try {\n            super.onCreate(savedInstance);\n            // BAD: Fragment instantiated from user input without validation\n            {\n                String fName = getIntent().getStringExtra(\"fragmentName\");\n                getFragmentManager().beginTransaction().replace(com.android.internal.R.id.prefs,\n                        Fragment.instantiate(this, fName, null)).commit();\n            }\n            // GOOD: Fragment instantiated statically\n            {\n                getFragmentManager().beginTransaction()\n                        .replace(com.android.internal.R.id.prefs, new MyFragment()).commit();\n            }\n        } catch (Exception e) {\n        }\n    }\n\n}\n\n```\nThe next example shows two activities that extend `PreferenceActivity`. The first activity overrides `isValidFragment`, but it wrongly returns `true` unconditionally. The second activity correctly overrides `isValidFragment` so that it only returns `true` when `fragmentName` is a trusted fragment name.\n\n\n```java\nclass UnsafeActivity extends PreferenceActivity {\n\n    @Override\n    protected boolean isValidFragment(String fragmentName) {\n        // BAD: any Fragment name can be provided.\n        return true;\n    }\n}\n\n\nclass SafeActivity extends PreferenceActivity {\n    @Override\n    protected boolean isValidFragment(String fragmentName) {\n        // Good: only trusted Fragment names are allowed.\n        return SafeFragment1.class.getName().equals(fragmentName)\n                || SafeFragment2.class.getName().equals(fragmentName)\n                || SafeFragment3.class.getName().equals(fragmentName);\n    }\n\n}\n\n\n```\n\n## References\n* Google Help: [How to fix Fragment Injection vulnerability](https://support.google.com/faqs/answer/7188427?hl=en).\n* IBM Security Systems: [Android collapses into Fragments](https://securityintelligence.com/wp-content/uploads/2013/12/android-collapses-into-fragments.pdf).\n* Android Developers: [Fragments](https://developer.android.com/guide/fragments)\n* Common Weakness Enumeration: [CWE-470](https://cwe.mitre.org/data/definitions/470.html).\n",
+                  "markdown": "# Android fragment injection in PreferenceActivity\nWhen fragments are instantiated with externally provided names, this exposes any exported activity that dynamically creates and hosts the fragment to fragment injection. A malicious application could provide the name of an arbitrary fragment, even one not designed to be externally accessible, and inject it into the activity. This can bypass access controls and expose the application to unintended effects.\n\nFragments are reusable parts of an Android application's user interface. Even though a fragment controls its own lifecycle and layout, and handles its input events, it cannot exist on its own: it must be hosted either by an activity or another fragment. This means that, normally, a fragment will be accessible by third-party applications (that is, exported) only if its hosting activity is itself exported.\n\n\n## Recommendation\nIn general, do not instantiate classes (including fragments) with user-provided names unless the name has been properly validated. Also, if an exported activity is extending the `PreferenceActivity` class, make sure that the `isValidFragment` method is overriden and only returns `true` when the provided `fragmentName` points to an intended fragment.\n\n\n## Example\nThe following example shows two cases: in the first one, untrusted data is used to instantiate and add a fragment to an activity, while in the second one, a fragment is safely added with a static name.\n\n\n```java\npublic class MyActivity extends FragmentActivity {\n\n    @Override\n    protected void onCreate(Bundle savedInstance) {\n        try {\n            super.onCreate(savedInstance);\n            // BAD: Fragment instantiated from user input without validation\n            {\n                String fName = getIntent().getStringExtra(\"fragmentName\");\n                getFragmentManager().beginTransaction().replace(com.android.internal.R.id.prefs,\n                        Fragment.instantiate(this, fName, null)).commit();\n            }\n            // GOOD: Fragment instantiated statically\n            {\n                getFragmentManager().beginTransaction()\n                        .replace(com.android.internal.R.id.prefs, new MyFragment()).commit();\n            }\n        } catch (Exception e) {\n        }\n    }\n\n}\n\n```\nThe next example shows two activities that extend `PreferenceActivity`. The first activity overrides `isValidFragment`, but it wrongly returns `true` unconditionally. The second activity correctly overrides `isValidFragment` so that it only returns `true` when `fragmentName` is a trusted fragment name.\n\n\n```java\nclass UnsafeActivity extends PreferenceActivity {\n\n    @Override\n    protected boolean isValidFragment(String fragmentName) {\n        // BAD: any Fragment name can be provided.\n        return true;\n    }\n}\n\n\nclass SafeActivity extends PreferenceActivity {\n    @Override\n    protected boolean isValidFragment(String fragmentName) {\n        // Good: only trusted Fragment names are allowed.\n        return SafeFragment1.class.getName().equals(fragmentName)\n                || SafeFragment2.class.getName().equals(fragmentName)\n                || SafeFragment3.class.getName().equals(fragmentName);\n    }\n\n}\n\n\n```\n\n## References\n* Google Help: [How to fix Fragment Injection vulnerability](https://support.google.com/faqs/answer/7188427?hl=en).\n* IBM Security Systems: [Android collapses into Fragments](https://securityintelligence.com/wp-content/uploads/2013/12/android-collapses-into-fragments.pdf).\n* Android Developers: [Fragments](https://developer.android.com/guide/fragments)\n* Common Weakness Enumeration: [CWE-470](https://cwe.mitre.org/data/definitions/470.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-470",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-470/FragmentInjectionInPreferenceActivity.ql",
+                  "precision": "high",
+                  "security-severity": "9.8"
+                }
+              },
+              {
+                "id": "java/android/implicit-pendingintents",
+                "name": "java/android/implicit-pendingintents",
+                "shortDescription": {
+                  "text": "Use of implicit PendingIntents"
+                },
+                "fullDescription": {
+                  "text": "Sending an implicit and mutable 'PendingIntent' to an unspecified third party component may provide an attacker with access to internal components of the application or cause other unintended effects."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Use of implicit PendingIntents\nA `PendingIntent` is used to wrap an `Intent` that will be supplied and executed by another application. When the `Intent` is executed, it behaves as if it were run directly by the supplying application, using the privileges of that application.\n\nIf a `PendingIntent` is configured to be mutable, the fields of its internal `Intent` can be changed by the receiving application if they were not previously set. This means that a mutable `PendingIntent` that has not defined a destination component (that is, an implicit `PendingIntent`) can be altered to execute an arbitrary action with the privileges of the application that created it.\n\nA malicious application can access an implicit `PendingIntent` as follows:\n\n* It is wrapped and sent as an extra of another implicit `Intent`.\n* It is sent as the action of a `Slide`.\n* It is sent as the action of a `Notification`.\n\n\nOn gaining access, the attacker can modify the underlying `Intent` and execute an arbitrary action with elevated privileges. This could give the malicious application access to private components of the victim application, or the ability to perform actions without having the necessary permissions.\n\n\n## Recommendation\nAvoid creating implicit `PendingIntent`s. This means that the underlying `Intent` should always have an explicit destination component.\n\nWhen you add the `PendingIntent` as an extra of another `Intent`, make sure that this second `Intent` also has an explicit destination component, so that it is not delivered to untrusted applications.\n\nCreate the `PendingIntent` using the flag `FLAG_IMMUTABLE` whenever possible, to prevent the destination component from modifying empty fields of the underlying `Intent`.\n\n\n## Example\nIn the following examples, a `PendingIntent` is created and wrapped as an extra of another `Intent`.\n\nIn the first example, both the `PendingIntent` and the `Intent` it is wrapped in are implicit, making them vulnerable to attack.\n\nIn the second example, the issue is avoided by adding explicit destination components to the `PendingIntent` and the wrapping `Intent`.\n\nThe third example uses the `FLAG_IMMUTABLE` flag to prevent the underlying `Intent` from being modified by the destination component.\n\n\n```java\nimport android.app.Activity;\nimport android.app.PendingIntent;\nimport android.content.Intent;\nimport android.os.Bundle;\n\npublic class ImplicitPendingIntents extends Activity {\n\n\tpublic void onCreate(Bundle savedInstance) {\n\t\t{\n\t\t\t// BAD: an implicit Intent is used to create a PendingIntent.\n\t\t\t// The PendingIntent is then added to another implicit Intent\n\t\t\t// and started.\n\t\t\tIntent baseIntent = new Intent();\n\t\t\tPendingIntent pi =\n\t\t\t\t\tPendingIntent.getActivity(this, 0, baseIntent, PendingIntent.FLAG_ONE_SHOT);\n\t\t\tIntent fwdIntent = new Intent(\"SOME_ACTION\");\n\t\t\tfwdIntent.putExtra(\"fwdIntent\", pi);\n\t\t\tsendBroadcast(fwdIntent);\n\t\t}\n\n\t\t{\n\t\t\t// GOOD: both the PendingIntent and the wrapping Intent are explicit.\n\t\t\tIntent safeIntent = new Intent(this, AnotherActivity.class);\n\t\t\tPendingIntent pi =\n\t\t\t\t\tPendingIntent.getActivity(this, 0, safeIntent, PendingIntent.FLAG_ONE_SHOT);\n\t\t\tIntent fwdIntent = new Intent();\n\t\t\tfwdIntent.setClassName(\"destination.package\", \"DestinationClass\");\n\t\t\tfwdIntent.putExtra(\"fwdIntent\", pi);\n\t\t\tstartActivity(fwdIntent);\n\t\t}\n\n\t\t{\n\t\t\t// GOOD: The PendingIntent is created with FLAG_IMMUTABLE.\n\t\t\tIntent baseIntent = new Intent(\"SOME_ACTION\");\n\t\t\tPendingIntent pi =\n\t\t\t\t\tPendingIntent.getActivity(this, 0, baseIntent, PendingIntent.FLAG_IMMUTABLE);\n\t\t\tIntent fwdIntent = new Intent();\n\t\t\tfwdIntent.setClassName(\"destination.package\", \"DestinationClass\");\n\t\t\tfwdIntent.putExtra(\"fwdIntent\", pi);\n\t\t\tstartActivity(fwdIntent);\n\t\t}\n\t}\n}\n\n```\n\n## References\n* Google Help: [ Remediation for Implicit PendingIntent Vulnerability ](https://support.google.com/faqs/answer/10437428?hl=en)\n* University of Potsdam: [ PIAnalyzer: A precise approach for PendingIntent vulnerability analysis ](https://www.cs.uni-potsdam.de/se/papers/esorics18.pdf)\n* Common Weakness Enumeration: [CWE-927](https://cwe.mitre.org/data/definitions/927.html).\n",
+                  "markdown": "# Use of implicit PendingIntents\nA `PendingIntent` is used to wrap an `Intent` that will be supplied and executed by another application. When the `Intent` is executed, it behaves as if it were run directly by the supplying application, using the privileges of that application.\n\nIf a `PendingIntent` is configured to be mutable, the fields of its internal `Intent` can be changed by the receiving application if they were not previously set. This means that a mutable `PendingIntent` that has not defined a destination component (that is, an implicit `PendingIntent`) can be altered to execute an arbitrary action with the privileges of the application that created it.\n\nA malicious application can access an implicit `PendingIntent` as follows:\n\n* It is wrapped and sent as an extra of another implicit `Intent`.\n* It is sent as the action of a `Slide`.\n* It is sent as the action of a `Notification`.\n\n\nOn gaining access, the attacker can modify the underlying `Intent` and execute an arbitrary action with elevated privileges. This could give the malicious application access to private components of the victim application, or the ability to perform actions without having the necessary permissions.\n\n\n## Recommendation\nAvoid creating implicit `PendingIntent`s. This means that the underlying `Intent` should always have an explicit destination component.\n\nWhen you add the `PendingIntent` as an extra of another `Intent`, make sure that this second `Intent` also has an explicit destination component, so that it is not delivered to untrusted applications.\n\nCreate the `PendingIntent` using the flag `FLAG_IMMUTABLE` whenever possible, to prevent the destination component from modifying empty fields of the underlying `Intent`.\n\n\n## Example\nIn the following examples, a `PendingIntent` is created and wrapped as an extra of another `Intent`.\n\nIn the first example, both the `PendingIntent` and the `Intent` it is wrapped in are implicit, making them vulnerable to attack.\n\nIn the second example, the issue is avoided by adding explicit destination components to the `PendingIntent` and the wrapping `Intent`.\n\nThe third example uses the `FLAG_IMMUTABLE` flag to prevent the underlying `Intent` from being modified by the destination component.\n\n\n```java\nimport android.app.Activity;\nimport android.app.PendingIntent;\nimport android.content.Intent;\nimport android.os.Bundle;\n\npublic class ImplicitPendingIntents extends Activity {\n\n\tpublic void onCreate(Bundle savedInstance) {\n\t\t{\n\t\t\t// BAD: an implicit Intent is used to create a PendingIntent.\n\t\t\t// The PendingIntent is then added to another implicit Intent\n\t\t\t// and started.\n\t\t\tIntent baseIntent = new Intent();\n\t\t\tPendingIntent pi =\n\t\t\t\t\tPendingIntent.getActivity(this, 0, baseIntent, PendingIntent.FLAG_ONE_SHOT);\n\t\t\tIntent fwdIntent = new Intent(\"SOME_ACTION\");\n\t\t\tfwdIntent.putExtra(\"fwdIntent\", pi);\n\t\t\tsendBroadcast(fwdIntent);\n\t\t}\n\n\t\t{\n\t\t\t// GOOD: both the PendingIntent and the wrapping Intent are explicit.\n\t\t\tIntent safeIntent = new Intent(this, AnotherActivity.class);\n\t\t\tPendingIntent pi =\n\t\t\t\t\tPendingIntent.getActivity(this, 0, safeIntent, PendingIntent.FLAG_ONE_SHOT);\n\t\t\tIntent fwdIntent = new Intent();\n\t\t\tfwdIntent.setClassName(\"destination.package\", \"DestinationClass\");\n\t\t\tfwdIntent.putExtra(\"fwdIntent\", pi);\n\t\t\tstartActivity(fwdIntent);\n\t\t}\n\n\t\t{\n\t\t\t// GOOD: The PendingIntent is created with FLAG_IMMUTABLE.\n\t\t\tIntent baseIntent = new Intent(\"SOME_ACTION\");\n\t\t\tPendingIntent pi =\n\t\t\t\t\tPendingIntent.getActivity(this, 0, baseIntent, PendingIntent.FLAG_IMMUTABLE);\n\t\t\tIntent fwdIntent = new Intent();\n\t\t\tfwdIntent.setClassName(\"destination.package\", \"DestinationClass\");\n\t\t\tfwdIntent.putExtra(\"fwdIntent\", pi);\n\t\t\tstartActivity(fwdIntent);\n\t\t}\n\t}\n}\n\n```\n\n## References\n* Google Help: [ Remediation for Implicit PendingIntent Vulnerability ](https://support.google.com/faqs/answer/10437428?hl=en)\n* University of Potsdam: [ PIAnalyzer: A precise approach for PendingIntent vulnerability analysis ](https://www.cs.uni-potsdam.de/se/papers/esorics18.pdf)\n* Common Weakness Enumeration: [CWE-927](https://cwe.mitre.org/data/definitions/927.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-927",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-927/ImplicitPendingIntents.ql",
+                  "precision": "high",
+                  "security-severity": "8.2"
+                }
+              },
+              {
+                "id": "java/android/implicitly-exported-component",
+                "name": "java/android/implicitly-exported-component",
+                "shortDescription": {
+                  "text": "Implicitly exported Android component"
+                },
+                "fullDescription": {
+                  "text": "Android components with an '' and no 'android:exported' attribute are implicitly exported, which can allow for improper access to the components themselves and to their data."
+                },
+                "defaultConfiguration": {},
+                "help": {
+                  "text": "# Implicitly exported Android component\nThe Android manifest file defines configuration settings for Android applications. In this file, components can be declared with intent filters which specify what the components can do and what types of intents the components can respond to. If the `android:exported` attribute is omitted from the component when an intent filter is included, then the component will be implicitly exported.\n\nAn implicitly exported component could allow for improper access to the component and its data.\n\n\n## Recommendation\nExplicitly set the `android:exported` attribute for every component or use permissions to limit access to the component.\n\n\n## Example\nIn the example below, the `android:exported` attribute is omitted when an intent filter is used.\n\n\n```xml\n\n    \n        \n            android:name=\".Activity\">\n            \n                \n            \n        \n    \n\n\n```\nA corrected version sets the `android:exported` attribute to `false`.\n\n\n```xml\n\n    \n        \n            android:name=\".Activity\">\n            android:exported=\"false\"\n            \n                \n            \n        \n    \n\n\n```\n\n## References\n* Android Developers: [App Manifest Overview](https://developer.android.com/guide/topics/manifest/manifest-intro).\n* Android Developers: [The <intent-filter> element](https://developer.android.com/guide/topics/manifest/intent-filter-element).\n* Android Developers: [The android:exported attribute](https://developer.android.com/guide/topics/manifest/activity-element#exported).\n* Android Developers: [The android:permission attribute](https://developer.android.com/guide/topics/manifest/activity-element#prmsn).\n* Android Developers: [Safer component exporting](https://developer.android.com/about/versions/12/behavior-changes-12#exported).\n* Common Weakness Enumeration: [CWE-926](https://cwe.mitre.org/data/definitions/926.html).\n",
+                  "markdown": "# Implicitly exported Android component\nThe Android manifest file defines configuration settings for Android applications. In this file, components can be declared with intent filters which specify what the components can do and what types of intents the components can respond to. If the `android:exported` attribute is omitted from the component when an intent filter is included, then the component will be implicitly exported.\n\nAn implicitly exported component could allow for improper access to the component and its data.\n\n\n## Recommendation\nExplicitly set the `android:exported` attribute for every component or use permissions to limit access to the component.\n\n\n## Example\nIn the example below, the `android:exported` attribute is omitted when an intent filter is used.\n\n\n```xml\n\n    \n        \n            android:name=\".Activity\">\n            \n                \n            \n        \n    \n\n\n```\nA corrected version sets the `android:exported` attribute to `false`.\n\n\n```xml\n\n    \n        \n            android:name=\".Activity\">\n            android:exported=\"false\"\n            \n                \n            \n        \n    \n\n\n```\n\n## References\n* Android Developers: [App Manifest Overview](https://developer.android.com/guide/topics/manifest/manifest-intro).\n* Android Developers: [The <intent-filter> element](https://developer.android.com/guide/topics/manifest/intent-filter-element).\n* Android Developers: [The android:exported attribute](https://developer.android.com/guide/topics/manifest/activity-element#exported).\n* Android Developers: [The android:permission attribute](https://developer.android.com/guide/topics/manifest/activity-element#prmsn).\n* Android Developers: [Safer component exporting](https://developer.android.com/about/versions/12/behavior-changes-12#exported).\n* Common Weakness Enumeration: [CWE-926](https://cwe.mitre.org/data/definitions/926.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-926",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-926/ImplicitlyExportedAndroidComponent.ql",
+                  "precision": "high",
+                  "security-severity": "8.2"
+                }
+              },
+              {
+                "id": "java/android/insecure-local-authentication",
+                "name": "java/android/insecure-local-authentication",
+                "shortDescription": {
+                  "text": "Insecure local authentication"
+                },
+                "fullDescription": {
+                  "text": "Local authentication that does not make use of a `CryptoObject` can be bypassed."
+                },
+                "defaultConfiguration": {},
+                "help": {
+                  "text": "# Insecure local authentication\nBiometric local authentication such as fingerprint recognition can be used to protect sensitive data or actions within an application. However, if this authentication does not use a `KeyStore`-backed key, it can be bypassed by a privileged malicious application, or by an attacker with physical access using application hooking tools such as Frida.\n\n\n## Recommendation\nGenerate a secure key in the Android `KeyStore`. Ensure that the `onAuthenticationSuccess` callback for a biometric prompt uses it in a way that is required for the sensitive parts of the application to function, such as by using it to decrypt sensitive data or credentials.\n\n\n## Example\nIn the following (bad) case, no `CryptoObject` is required for the biometric prompt to grant access, so it can be bypassed.\n\n\n```java\nbiometricPrompt.authenticate(\n    cancellationSignal,\n    executor,\n    new BiometricPrompt.AuthenticationCallback {\n        @Override\n        // BAD: This authentication callback does not make use of a `CryptoObject` from the `result`.\n        public void onAuthenticationSucceeded(BiometricPrompt.AuthenticationResult result) {\n            grantAccess()\n        }\n    }\n)\n```\nIn the following (good) case, a secret key is generated in the Android `KeyStore`. The application requires this secret key for access, using it to decrypt data.\n\n\n```java\nprivate void generateSecretKey() {\n    KeyGenParameterSpec keyGenParameterSpec = new KeyGenParameterSpec.Builder(\n        \"MySecretKey\",\n        KeyProperties.PURPOSE_ENCRYPT | KeyProperties.PURPOSE_DECRYPT)\n        .setBlockModes(KeyProperties.BLOCK_MODE_CBC)\n        .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_PKCS7)\n        .setUserAuthenticationRequired(true)\n        .setInvalidatedByBiometricEnrollment(true)\n        .build();\n    KeyGenerator keyGenerator = KeyGenerator.getInstance(\n            KeyProperties.KEY_ALGORITHM_AES, \"AndroidKeyStore\");\n    keyGenerator.init(keyGenParameterSpec);\n    keyGenerator.generateKey();\n}\n\n\nprivate SecretKey getSecretKey() {\n    KeyStore keyStore = KeyStore.getInstance(\"AndroidKeyStore\");\n    keyStore.load(null);\n    return ((SecretKey)keyStore.getKey(\"MySecretKey\", null));\n}\n\nprivate Cipher getCipher() {\n    return Cipher.getInstance(KeyProperties.KEY_ALGORITHM_AES + \"/\"\n            + KeyProperties.BLOCK_MODE_CBC + \"/\"\n            + KeyProperties.ENCRYPTION_PADDING_PKCS7);\n}\n\npublic prompt(byte[] encryptedData) {\n    Cipher cipher = getCipher();\n    SecretKey secretKey = getSecretKey();\n    cipher.init(Cipher.DECRYPT_MODE, secretKey);\n\n    biometricPrompt.authenticate(\n        new BiometricPrompt.CryptoObject(cipher),\n        cancellationSignal,\n        executor,\n        new BiometricPrompt.AuthenticationCallback() {\n            @Override\n            // GOOD: This authentication callback uses the result to decrypt some data.\n            public void onAuthenticationSucceeded(BiometricPrompt.AuthenticationResult result) {\n                Cipher cipher = result.getCryptoObject().getCipher();\n                byte[] decryptedData = cipher.doFinal(encryptedData);\n                grantAccessWithData(decryptedData);\n            }\n        }\n    );\n}\n```\n\n## References\n* OWASP Mobile Application Security: [Android Local Authentication](https://mas.owasp.org/MASTG/Android/0x05f-Testing-Local-Authentication/)\n* OWASP Mobile Application Security: [Testing Biometric Authentication](https://mas.owasp.org/MASTG/tests/android/MASVS-AUTH/MASTG-TEST-0018/)\n* WithSecure: [How Secure is your Android Keystore Authentication?](https://labs.withsecure.com/publications/how-secure-is-your-android-keystore-authentication)\n* Android Developers: [Biometric Authentication](https://developer.android.com/training/sign-in/biometric-auth)\n* Common Weakness Enumeration: [CWE-287](https://cwe.mitre.org/data/definitions/287.html).\n",
+                  "markdown": "# Insecure local authentication\nBiometric local authentication such as fingerprint recognition can be used to protect sensitive data or actions within an application. However, if this authentication does not use a `KeyStore`-backed key, it can be bypassed by a privileged malicious application, or by an attacker with physical access using application hooking tools such as Frida.\n\n\n## Recommendation\nGenerate a secure key in the Android `KeyStore`. Ensure that the `onAuthenticationSuccess` callback for a biometric prompt uses it in a way that is required for the sensitive parts of the application to function, such as by using it to decrypt sensitive data or credentials.\n\n\n## Example\nIn the following (bad) case, no `CryptoObject` is required for the biometric prompt to grant access, so it can be bypassed.\n\n\n```java\nbiometricPrompt.authenticate(\n    cancellationSignal,\n    executor,\n    new BiometricPrompt.AuthenticationCallback {\n        @Override\n        // BAD: This authentication callback does not make use of a `CryptoObject` from the `result`.\n        public void onAuthenticationSucceeded(BiometricPrompt.AuthenticationResult result) {\n            grantAccess()\n        }\n    }\n)\n```\nIn the following (good) case, a secret key is generated in the Android `KeyStore`. The application requires this secret key for access, using it to decrypt data.\n\n\n```java\nprivate void generateSecretKey() {\n    KeyGenParameterSpec keyGenParameterSpec = new KeyGenParameterSpec.Builder(\n        \"MySecretKey\",\n        KeyProperties.PURPOSE_ENCRYPT | KeyProperties.PURPOSE_DECRYPT)\n        .setBlockModes(KeyProperties.BLOCK_MODE_CBC)\n        .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_PKCS7)\n        .setUserAuthenticationRequired(true)\n        .setInvalidatedByBiometricEnrollment(true)\n        .build();\n    KeyGenerator keyGenerator = KeyGenerator.getInstance(\n            KeyProperties.KEY_ALGORITHM_AES, \"AndroidKeyStore\");\n    keyGenerator.init(keyGenParameterSpec);\n    keyGenerator.generateKey();\n}\n\n\nprivate SecretKey getSecretKey() {\n    KeyStore keyStore = KeyStore.getInstance(\"AndroidKeyStore\");\n    keyStore.load(null);\n    return ((SecretKey)keyStore.getKey(\"MySecretKey\", null));\n}\n\nprivate Cipher getCipher() {\n    return Cipher.getInstance(KeyProperties.KEY_ALGORITHM_AES + \"/\"\n            + KeyProperties.BLOCK_MODE_CBC + \"/\"\n            + KeyProperties.ENCRYPTION_PADDING_PKCS7);\n}\n\npublic prompt(byte[] encryptedData) {\n    Cipher cipher = getCipher();\n    SecretKey secretKey = getSecretKey();\n    cipher.init(Cipher.DECRYPT_MODE, secretKey);\n\n    biometricPrompt.authenticate(\n        new BiometricPrompt.CryptoObject(cipher),\n        cancellationSignal,\n        executor,\n        new BiometricPrompt.AuthenticationCallback() {\n            @Override\n            // GOOD: This authentication callback uses the result to decrypt some data.\n            public void onAuthenticationSucceeded(BiometricPrompt.AuthenticationResult result) {\n                Cipher cipher = result.getCryptoObject().getCipher();\n                byte[] decryptedData = cipher.doFinal(encryptedData);\n                grantAccessWithData(decryptedData);\n            }\n        }\n    );\n}\n```\n\n## References\n* OWASP Mobile Application Security: [Android Local Authentication](https://mas.owasp.org/MASTG/Android/0x05f-Testing-Local-Authentication/)\n* OWASP Mobile Application Security: [Testing Biometric Authentication](https://mas.owasp.org/MASTG/tests/android/MASVS-AUTH/MASTG-TEST-0018/)\n* WithSecure: [How Secure is your Android Keystore Authentication?](https://labs.withsecure.com/publications/how-secure-is-your-android-keystore-authentication)\n* Android Developers: [Biometric Authentication](https://developer.android.com/training/sign-in/biometric-auth)\n* Common Weakness Enumeration: [CWE-287](https://cwe.mitre.org/data/definitions/287.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-287",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-287/AndroidInsecureLocalAuthentication.ql",
+                  "precision": "high",
+                  "security-severity": "4.4"
+                }
+              },
+              {
+                "id": "java/android/intent-redirection",
+                "name": "java/android/intent-redirection",
+                "shortDescription": {
+                  "text": "Android Intent redirection"
+                },
+                "fullDescription": {
+                  "text": "Starting Android components with user-provided Intents can provide access to internal components of the application, increasing the attack surface and potentially causing unintended effects."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Android Intent redirection\nAn exported Android component that obtains a user-provided Intent and uses it to launch another component can be exploited to obtain access to private, unexported components of the same app or to launch other apps' components on behalf of the victim app.\n\n\n## Recommendation\nDo not export components that start other components from a user-provided Intent. They can be made private by setting the `android:exported` property to `false` in the app's Android Manifest.\n\nIf this is not possible, restrict either which apps can send Intents to the affected component, or which components can be started from it.\n\n\n## Example\nThe following snippet contains three examples. In the first example, an arbitrary component can be started from the externally provided `forward_intent` Intent. In the second example, the destination component of the Intent is first checked to make sure it is safe. In the third example, the component that created the Intent is first checked to make sure it comes from a trusted origin.\n\n\n```java\n// BAD: A user-provided Intent is used to launch an arbitrary component\nIntent forwardIntent = (Intent) getIntent().getParcelableExtra(\"forward_intent\");\nstartActivity(forwardIntent);\n\n// GOOD: The destination component is checked before launching it\nIntent forwardIntent = (Intent) getIntent().getParcelableExtra(\"forward_intent\");\nComponentName destinationComponent = forwardIntent.resolveActivity(getPackageManager());\nif (destinationComponent.getPackageName().equals(\"safe.package\") && \n    destinationComponent.getClassName().equals(\"SafeClass\")) {\n    startActivity(forwardIntent);\n}\n\n// GOOD: The component that sent the Intent is checked before launching the destination component\nIntent forwardIntent = (Intent) getIntent().getParcelableExtra(\"forward_intent\");\nComponentName originComponent = getCallingActivity();\nif (originComponent.getPackageName().equals(\"trusted.package\") && originComponent.getClassName().equals(\"TrustedClass\")) {\n    startActivity(forwardIntent);\n}\n\n```\n\n## References\n* Google: [Remediation for Intent Redirection Vulnerability](https://support.google.com/faqs/answer/9267555?hl=en).\n* OWASP Mobile Security Testing Guide: [Intents](https://mobile-security.gitbook.io/mobile-security-testing-guide/android-testing-guide/0x05a-platform-overview#intents).\n* Android Developers: [The android:exported attribute](https://developer.android.com/guide/topics/manifest/activity-element#exported).\n* Common Weakness Enumeration: [CWE-926](https://cwe.mitre.org/data/definitions/926.html).\n* Common Weakness Enumeration: [CWE-940](https://cwe.mitre.org/data/definitions/940.html).\n",
+                  "markdown": "# Android Intent redirection\nAn exported Android component that obtains a user-provided Intent and uses it to launch another component can be exploited to obtain access to private, unexported components of the same app or to launch other apps' components on behalf of the victim app.\n\n\n## Recommendation\nDo not export components that start other components from a user-provided Intent. They can be made private by setting the `android:exported` property to `false` in the app's Android Manifest.\n\nIf this is not possible, restrict either which apps can send Intents to the affected component, or which components can be started from it.\n\n\n## Example\nThe following snippet contains three examples. In the first example, an arbitrary component can be started from the externally provided `forward_intent` Intent. In the second example, the destination component of the Intent is first checked to make sure it is safe. In the third example, the component that created the Intent is first checked to make sure it comes from a trusted origin.\n\n\n```java\n// BAD: A user-provided Intent is used to launch an arbitrary component\nIntent forwardIntent = (Intent) getIntent().getParcelableExtra(\"forward_intent\");\nstartActivity(forwardIntent);\n\n// GOOD: The destination component is checked before launching it\nIntent forwardIntent = (Intent) getIntent().getParcelableExtra(\"forward_intent\");\nComponentName destinationComponent = forwardIntent.resolveActivity(getPackageManager());\nif (destinationComponent.getPackageName().equals(\"safe.package\") && \n    destinationComponent.getClassName().equals(\"SafeClass\")) {\n    startActivity(forwardIntent);\n}\n\n// GOOD: The component that sent the Intent is checked before launching the destination component\nIntent forwardIntent = (Intent) getIntent().getParcelableExtra(\"forward_intent\");\nComponentName originComponent = getCallingActivity();\nif (originComponent.getPackageName().equals(\"trusted.package\") && originComponent.getClassName().equals(\"TrustedClass\")) {\n    startActivity(forwardIntent);\n}\n\n```\n\n## References\n* Google: [Remediation for Intent Redirection Vulnerability](https://support.google.com/faqs/answer/9267555?hl=en).\n* OWASP Mobile Security Testing Guide: [Intents](https://mobile-security.gitbook.io/mobile-security-testing-guide/android-testing-guide/0x05a-platform-overview#intents).\n* Android Developers: [The android:exported attribute](https://developer.android.com/guide/topics/manifest/activity-element#exported).\n* Common Weakness Enumeration: [CWE-926](https://cwe.mitre.org/data/definitions/926.html).\n* Common Weakness Enumeration: [CWE-940](https://cwe.mitre.org/data/definitions/940.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-926",
+                    "external/cwe/cwe-940",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-940/AndroidIntentRedirection.ql",
+                  "precision": "high",
+                  "security-severity": "7.5"
+                }
+              },
+              {
+                "id": "java/android/intent-uri-permission-manipulation",
+                "name": "java/android/intent-uri-permission-manipulation",
+                "shortDescription": {
+                  "text": "Intent URI permission manipulation"
+                },
+                "fullDescription": {
+                  "text": "Returning an externally provided Intent via 'setResult' may allow a malicious application to access arbitrary content providers of the vulnerable application."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Intent URI permission manipulation\nWhen an Android component expects a result from an Activity, `startActivityForResult` can be used. The started Activity can then use `setResult` to return the appropriate data to the calling component.\n\nIf an Activity obtains the incoming, user-provided Intent and directly returns it via `setResult` without any checks, the application may be unintentionally giving arbitrary access to its content providers, even if they are not exported, as long as they are configured with the attribute `android:grantUriPermissions=\"true\"`. This happens because the attacker adds the appropriate URI permission flags to the provided Intent, which take effect once the Intent is reflected back.\n\n\n## Recommendation\nAvoid returning user-provided or untrusted Intents via `setResult`. Use a new Intent instead.\n\nIf it is required to use the received Intent, make sure that it does not contain URI permission flags, either by checking them with `Intent.getFlags` or removing them with `Intent.removeFlags`.\n\n\n## Example\nThe following sample contains three examples. In the first example, a user-provided Intent is obtained and directly returned back with `setResult`, which is dangerous. In the second example, a new Intent is created to safely return the desired data. The third example shows how the obtained Intent can be sanitized by removing dangerous flags before using it to return data to the calling component.\n\n\n```java\npublic class IntentUriPermissionManipulation extends Activity {\n\n    // BAD: the user-provided Intent is returned as-is\n    public void dangerous() {\n        Intent intent = getIntent();\n        intent.putExtra(\"result\", \"resultData\");\n        setResult(intent);\n    }\n\n    // GOOD: a new Intent is created and returned\n    public void safe() {\n        Intent intent = new Intent();\n        intent.putExtra(\"result\", \"resultData\");\n        setResult(intent);\n    }\n\n    // GOOD: the user-provided Intent is sanitized before being returned\n    public void sanitized() {\n        Intent intent = getIntent();\n        intent.putExtra(\"result\", \"resultData\");\n        intent.removeFlags(\n                Intent.FLAG_GRANT_WRITE_URI_PERMISSION | Intent.FLAG_GRANT_READ_URI_PERMISSION);\n        setResult(intent);\n    }\n}\n\n```\n\n## References\n* Google Help: [Remediation for Intent Redirection Vulnerability](https://support.google.com/faqs/answer/9267555?hl=en).\n* Common Weakness Enumeration: [CWE-266](https://cwe.mitre.org/data/definitions/266.html).\n* Common Weakness Enumeration: [CWE-926](https://cwe.mitre.org/data/definitions/926.html).\n",
+                  "markdown": "# Intent URI permission manipulation\nWhen an Android component expects a result from an Activity, `startActivityForResult` can be used. The started Activity can then use `setResult` to return the appropriate data to the calling component.\n\nIf an Activity obtains the incoming, user-provided Intent and directly returns it via `setResult` without any checks, the application may be unintentionally giving arbitrary access to its content providers, even if they are not exported, as long as they are configured with the attribute `android:grantUriPermissions=\"true\"`. This happens because the attacker adds the appropriate URI permission flags to the provided Intent, which take effect once the Intent is reflected back.\n\n\n## Recommendation\nAvoid returning user-provided or untrusted Intents via `setResult`. Use a new Intent instead.\n\nIf it is required to use the received Intent, make sure that it does not contain URI permission flags, either by checking them with `Intent.getFlags` or removing them with `Intent.removeFlags`.\n\n\n## Example\nThe following sample contains three examples. In the first example, a user-provided Intent is obtained and directly returned back with `setResult`, which is dangerous. In the second example, a new Intent is created to safely return the desired data. The third example shows how the obtained Intent can be sanitized by removing dangerous flags before using it to return data to the calling component.\n\n\n```java\npublic class IntentUriPermissionManipulation extends Activity {\n\n    // BAD: the user-provided Intent is returned as-is\n    public void dangerous() {\n        Intent intent = getIntent();\n        intent.putExtra(\"result\", \"resultData\");\n        setResult(intent);\n    }\n\n    // GOOD: a new Intent is created and returned\n    public void safe() {\n        Intent intent = new Intent();\n        intent.putExtra(\"result\", \"resultData\");\n        setResult(intent);\n    }\n\n    // GOOD: the user-provided Intent is sanitized before being returned\n    public void sanitized() {\n        Intent intent = getIntent();\n        intent.putExtra(\"result\", \"resultData\");\n        intent.removeFlags(\n                Intent.FLAG_GRANT_WRITE_URI_PERMISSION | Intent.FLAG_GRANT_READ_URI_PERMISSION);\n        setResult(intent);\n    }\n}\n\n```\n\n## References\n* Google Help: [Remediation for Intent Redirection Vulnerability](https://support.google.com/faqs/answer/9267555?hl=en).\n* Common Weakness Enumeration: [CWE-266](https://cwe.mitre.org/data/definitions/266.html).\n* Common Weakness Enumeration: [CWE-926](https://cwe.mitre.org/data/definitions/926.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-266",
+                    "external/cwe/cwe-926",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-266/IntentUriPermissionManipulation.ql",
+                  "precision": "high",
+                  "security-severity": "7.8"
+                }
+              },
+              {
+                "id": "java/android/unsafe-content-uri-resolution",
+                "name": "java/android/unsafe-content-uri-resolution",
+                "shortDescription": {
+                  "text": "Uncontrolled data used in content resolution"
+                },
+                "fullDescription": {
+                  "text": "Resolving externally-provided content URIs without validation can allow an attacker to access unexpected resources."
+                },
+                "defaultConfiguration": {},
+                "help": {
+                  "text": "# Uncontrolled data used in content resolution\nWhen an Android application wants to access data in a content provider, it uses the `ContentResolver` object. `ContentResolver`s communicate with an instance of a class that implements the `ContentProvider` interface via URIs with the `content://` scheme. The authority part (the first path segment) of the URI, passed as parameter to the `ContentResolver`, determines which content provider is contacted for the operation. Specific operations that act on files also support the `file://` scheme, in which case the local filesystem is queried instead. If an external component, like a malicious or compromised application, controls the URI for a `ContentResolver` operation, it can trick the vulnerable application into accessing its own private files or non-exported content providers. The attacking application might be able to get access to the file by forcing it to be copied to a public directory, like external storage, or tamper with the contents by making the application overwrite the file with unexpected data.\n\n\n## Recommendation\nIf possible, avoid using externally-provided data to determine the URI for a `ContentResolver` to use. If that is not an option, validate that the incoming URI can only reference trusted components, like an allow list of content providers and/or applications, or alternatively make sure that the URI does not reference private directories like `/data/`.\n\n\n## Example\nThis example shows three ways of opening a file using a `ContentResolver`. In the first case, externally-provided data from an intent is used directly in the file-reading operation. This allows an attacker to provide a URI of the form `/data/data/(vulnerable app package)/(private file)` to trick the application into reading it and copying it to the external storage. In the second case, an insufficient check is performed on the externally-provided URI, still leaving room for exploitation. In the third case, the URI is correctly validated before being used, making sure it does not reference any internal application files.\n\n\n```java\nimport android.content.ContentResolver;\nimport android.net.Uri;\n\npublic class Example extends Activity {\n    public void onCreate() {\n        // BAD: Externally-provided URI directly used in content resolution\n        {\n            ContentResolver contentResolver = getContentResolver();\n            Uri uri = (Uri) getIntent().getParcelableExtra(\"URI_EXTRA\");\n            InputStream is = contentResolver.openInputStream(uri);\n            copyToExternalCache(is);\n        }\n        // BAD: input URI is not normalized, and check can be bypassed with \"..\" characters\n        {\n            ContentResolver contentResolver = getContentResolver();\n            Uri uri = (Uri) getIntent().getParcelableExtra(\"URI_EXTRA\");\n            String path = uri.getPath();\n            if (path.startsWith(\"/data\"))\n                throw new SecurityException();\n            InputStream is = contentResolver.openInputStream(uri);\n            copyToExternalCache(is);\n        }\n        // GOOD: URI is properly validated to block access to internal files\n        {\n            ContentResolver contentResolver = getContentResolver();\n            Uri uri = (Uri) getIntent().getParcelableExtra(\"URI_EXTRA\");\n            String path = uri.getPath();\n            java.nio.file.Path normalized =\n                    java.nio.file.FileSystems.getDefault().getPath(path).normalize();\n            if (normalized.startsWith(\"/data\"))\n                throw new SecurityException();\n            InputStream is = contentResolver.openInputStream(uri);\n            copyToExternalCache(is);\n        }\n    }\n\n    private void copyToExternalCache(InputStream is) {\n        // Reads the contents of is and writes a file in the app's external\n        // cache directory, which can be read publicly by applications in the same device.\n    }\n}\n\n```\n\n## References\n* Android developers: [Content provider basics](https://developer.android.com/guide/topics/providers/content-provider-basics)\n* [The ContentResolver class](https://developer.android.com/reference/android/content/ContentResolver)\n* Common Weakness Enumeration: [CWE-441](https://cwe.mitre.org/data/definitions/441.html).\n* Common Weakness Enumeration: [CWE-610](https://cwe.mitre.org/data/definitions/610.html).\n",
+                  "markdown": "# Uncontrolled data used in content resolution\nWhen an Android application wants to access data in a content provider, it uses the `ContentResolver` object. `ContentResolver`s communicate with an instance of a class that implements the `ContentProvider` interface via URIs with the `content://` scheme. The authority part (the first path segment) of the URI, passed as parameter to the `ContentResolver`, determines which content provider is contacted for the operation. Specific operations that act on files also support the `file://` scheme, in which case the local filesystem is queried instead. If an external component, like a malicious or compromised application, controls the URI for a `ContentResolver` operation, it can trick the vulnerable application into accessing its own private files or non-exported content providers. The attacking application might be able to get access to the file by forcing it to be copied to a public directory, like external storage, or tamper with the contents by making the application overwrite the file with unexpected data.\n\n\n## Recommendation\nIf possible, avoid using externally-provided data to determine the URI for a `ContentResolver` to use. If that is not an option, validate that the incoming URI can only reference trusted components, like an allow list of content providers and/or applications, or alternatively make sure that the URI does not reference private directories like `/data/`.\n\n\n## Example\nThis example shows three ways of opening a file using a `ContentResolver`. In the first case, externally-provided data from an intent is used directly in the file-reading operation. This allows an attacker to provide a URI of the form `/data/data/(vulnerable app package)/(private file)` to trick the application into reading it and copying it to the external storage. In the second case, an insufficient check is performed on the externally-provided URI, still leaving room for exploitation. In the third case, the URI is correctly validated before being used, making sure it does not reference any internal application files.\n\n\n```java\nimport android.content.ContentResolver;\nimport android.net.Uri;\n\npublic class Example extends Activity {\n    public void onCreate() {\n        // BAD: Externally-provided URI directly used in content resolution\n        {\n            ContentResolver contentResolver = getContentResolver();\n            Uri uri = (Uri) getIntent().getParcelableExtra(\"URI_EXTRA\");\n            InputStream is = contentResolver.openInputStream(uri);\n            copyToExternalCache(is);\n        }\n        // BAD: input URI is not normalized, and check can be bypassed with \"..\" characters\n        {\n            ContentResolver contentResolver = getContentResolver();\n            Uri uri = (Uri) getIntent().getParcelableExtra(\"URI_EXTRA\");\n            String path = uri.getPath();\n            if (path.startsWith(\"/data\"))\n                throw new SecurityException();\n            InputStream is = contentResolver.openInputStream(uri);\n            copyToExternalCache(is);\n        }\n        // GOOD: URI is properly validated to block access to internal files\n        {\n            ContentResolver contentResolver = getContentResolver();\n            Uri uri = (Uri) getIntent().getParcelableExtra(\"URI_EXTRA\");\n            String path = uri.getPath();\n            java.nio.file.Path normalized =\n                    java.nio.file.FileSystems.getDefault().getPath(path).normalize();\n            if (normalized.startsWith(\"/data\"))\n                throw new SecurityException();\n            InputStream is = contentResolver.openInputStream(uri);\n            copyToExternalCache(is);\n        }\n    }\n\n    private void copyToExternalCache(InputStream is) {\n        // Reads the contents of is and writes a file in the app's external\n        // cache directory, which can be read publicly by applications in the same device.\n    }\n}\n\n```\n\n## References\n* Android developers: [Content provider basics](https://developer.android.com/guide/topics/providers/content-provider-basics)\n* [The ContentResolver class](https://developer.android.com/reference/android/content/ContentResolver)\n* Common Weakness Enumeration: [CWE-441](https://cwe.mitre.org/data/definitions/441.html).\n* Common Weakness Enumeration: [CWE-610](https://cwe.mitre.org/data/definitions/610.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-441",
+                    "external/cwe/cwe-610",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-441/UnsafeContentUriResolution.ql",
+                  "precision": "high",
+                  "security-severity": "7.5"
+                }
+              },
+              {
+                "id": "java/android/webview-debugging-enabled",
+                "name": "java/android/webview-debugging-enabled",
+                "shortDescription": {
+                  "text": "Android Webview debugging enabled"
+                },
+                "fullDescription": {
+                  "text": "Enabling Webview debugging in production builds can expose entry points or leak sensitive information."
+                },
+                "defaultConfiguration": {},
+                "help": {
+                  "text": "# Android Webview debugging enabled\nThe `WebView.setWebContentsDebuggingEnabled` method enables or disables the contents of any `WebView` in the application to be debugged.\n\nYou should only enable debugging features during development. When you create a production build, you should disable it. If you enable debugging features, this can make your code vulnerable by adding entry points, or leaking sensitive information.\n\n\n## Recommendation\nEnsure that debugging features are not enabled in production builds, such as by guarding calls to `WebView.setWebContentsDebuggingEnabled(true)` by a flag that is only enabled in debug builds.\n\n\n## Example\nIn the first (bad) example, WebView debugging is always enabled. whereas the GOOD case only enables it if the `android:debuggable` attribute is set to `true`.\n\n\n```java\n// BAD - debugging is always enabled \nWebView.setWebContentsDebuggingEnabled(true);\n\n// GOOD - debugging is only enabled when this is a debug build, as indicated by the debuggable flag being set.\nif (0 != (getApplicationInfo().flags & ApplicationInfo.FLAG_DEBUGGABLE)) {\n    WebView.setWebContentsDebuggingEnabled(true);\n}\n```\n\n## References\n* Android Developers: [setWebContentsDebuggingEnabled](https://developer.android.com/reference/android/webkit/WebView.html#setWebContentsDebuggingEnabled(boolean)).\n* Android Developers: [Remote debugging WebViews](https://developer.chrome.com/docs/devtools/remote-debugging/webviews/).\n* Common Weakness Enumeration: [CWE-489](https://cwe.mitre.org/data/definitions/489.html).\n",
+                  "markdown": "# Android Webview debugging enabled\nThe `WebView.setWebContentsDebuggingEnabled` method enables or disables the contents of any `WebView` in the application to be debugged.\n\nYou should only enable debugging features during development. When you create a production build, you should disable it. If you enable debugging features, this can make your code vulnerable by adding entry points, or leaking sensitive information.\n\n\n## Recommendation\nEnsure that debugging features are not enabled in production builds, such as by guarding calls to `WebView.setWebContentsDebuggingEnabled(true)` by a flag that is only enabled in debug builds.\n\n\n## Example\nIn the first (bad) example, WebView debugging is always enabled. whereas the GOOD case only enables it if the `android:debuggable` attribute is set to `true`.\n\n\n```java\n// BAD - debugging is always enabled \nWebView.setWebContentsDebuggingEnabled(true);\n\n// GOOD - debugging is only enabled when this is a debug build, as indicated by the debuggable flag being set.\nif (0 != (getApplicationInfo().flags & ApplicationInfo.FLAG_DEBUGGABLE)) {\n    WebView.setWebContentsDebuggingEnabled(true);\n}\n```\n\n## References\n* Android Developers: [setWebContentsDebuggingEnabled](https://developer.android.com/reference/android/webkit/WebView.html#setWebContentsDebuggingEnabled(boolean)).\n* Android Developers: [Remote debugging WebViews](https://developer.chrome.com/docs/devtools/remote-debugging/webviews/).\n* Common Weakness Enumeration: [CWE-489](https://cwe.mitre.org/data/definitions/489.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-489",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-489/WebviewDebuggingEnabled.ql",
+                  "precision": "high",
+                  "security-severity": "7.2"
+                }
+              },
+              {
+                "id": "java/cleartext-storage-in-cookie",
+                "name": "java/cleartext-storage-in-cookie",
+                "shortDescription": {
+                  "text": "Cleartext storage of sensitive information in cookie"
+                },
+                "fullDescription": {
+                  "text": "Storing sensitive information in cleartext can expose it to an attacker."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Cleartext storage of sensitive information in cookie\nSensitive information that is stored unencrypted is accessible to an attacker who gains access to the storage.\n\n\n## Recommendation\nEnsure that sensitive information is always encrypted before being stored. It may be wise to encrypt information before it is put into a heap data structure (such as `Java.util.Properties`) that may be written to disk later. Objects that are serializable or marshallable should also always contain encrypted information unless you are certain that they are not ever going to be serialized.\n\nIn general, decrypt sensitive information only at the point where it is necessary for it to be used in cleartext.\n\n\n## Example\nThe following example shows two ways of storing user credentials in a cookie. In the 'BAD' case, the credentials are simply stored in cleartext. In the 'GOOD' case, the credentials are hashed before storing them.\n\n\n```java\npublic static void main(String[] args) {\n\t{\n\t\tString data;\n\t\tPasswordAuthentication credentials =\n\t\t\t\tnew PasswordAuthentication(\"user\", \"BP@ssw0rd\".toCharArray());\n\t\tdata = credentials.getUserName() + \":\" + new String(credentials.getPassword());\n\t\n\t\t// BAD: store data in a cookie in cleartext form\n\t\tresponse.addCookie(new Cookie(\"auth\", data));\n\t}\n\t\n\t{\n\t\tString data;\n\t\tPasswordAuthentication credentials =\n\t\t\t\tnew PasswordAuthentication(\"user\", \"GP@ssw0rd\".toCharArray());\n\t\tString salt = \"ThisIsMySalt\";\n\t\tMessageDigest messageDigest = MessageDigest.getInstance(\"SHA-512\");\n\t\tmessageDigest.reset();\n\t\tString credentialsToHash =\n\t\t\t\tcredentials.getUserName() + \":\" + credentials.getPassword();\n\t\tbyte[] hashedCredsAsBytes =\n\t\t\t\tmessageDigest.digest((salt+credentialsToHash).getBytes(\"UTF-8\"));\n\t\tdata = bytesToString(hashedCredsAsBytes);\n\t\t\n\t\t// GOOD: store data in a cookie in encrypted form\n\t\tresponse.addCookie(new Cookie(\"auth\", data));\n\t}\n}\n\n```\n\n## References\n* SEI CERT Oracle Coding Standard for Java: [SER03-J. Do not serialize unencrypted, sensitive data](https://wiki.sei.cmu.edu/confluence/display/java/SER03-J.+Do+not+serialize+unencrypted+sensitive+data).\n* M. Dowd, J. McDonald and J. Schuhm, *The Art of Software Security Assessment*, 1st Edition, Chapter 2 - 'Common Vulnerabilities of Encryption', p. 43. Addison Wesley, 2006.\n* M. Howard and D. LeBlanc, *Writing Secure Code*, 2nd Edition, Chapter 9 - 'Protecting Secret Data', p. 299. Microsoft, 2002.\n* Common Weakness Enumeration: [CWE-315](https://cwe.mitre.org/data/definitions/315.html).\n",
+                  "markdown": "# Cleartext storage of sensitive information in cookie\nSensitive information that is stored unencrypted is accessible to an attacker who gains access to the storage.\n\n\n## Recommendation\nEnsure that sensitive information is always encrypted before being stored. It may be wise to encrypt information before it is put into a heap data structure (such as `Java.util.Properties`) that may be written to disk later. Objects that are serializable or marshallable should also always contain encrypted information unless you are certain that they are not ever going to be serialized.\n\nIn general, decrypt sensitive information only at the point where it is necessary for it to be used in cleartext.\n\n\n## Example\nThe following example shows two ways of storing user credentials in a cookie. In the 'BAD' case, the credentials are simply stored in cleartext. In the 'GOOD' case, the credentials are hashed before storing them.\n\n\n```java\npublic static void main(String[] args) {\n\t{\n\t\tString data;\n\t\tPasswordAuthentication credentials =\n\t\t\t\tnew PasswordAuthentication(\"user\", \"BP@ssw0rd\".toCharArray());\n\t\tdata = credentials.getUserName() + \":\" + new String(credentials.getPassword());\n\t\n\t\t// BAD: store data in a cookie in cleartext form\n\t\tresponse.addCookie(new Cookie(\"auth\", data));\n\t}\n\t\n\t{\n\t\tString data;\n\t\tPasswordAuthentication credentials =\n\t\t\t\tnew PasswordAuthentication(\"user\", \"GP@ssw0rd\".toCharArray());\n\t\tString salt = \"ThisIsMySalt\";\n\t\tMessageDigest messageDigest = MessageDigest.getInstance(\"SHA-512\");\n\t\tmessageDigest.reset();\n\t\tString credentialsToHash =\n\t\t\t\tcredentials.getUserName() + \":\" + credentials.getPassword();\n\t\tbyte[] hashedCredsAsBytes =\n\t\t\t\tmessageDigest.digest((salt+credentialsToHash).getBytes(\"UTF-8\"));\n\t\tdata = bytesToString(hashedCredsAsBytes);\n\t\t\n\t\t// GOOD: store data in a cookie in encrypted form\n\t\tresponse.addCookie(new Cookie(\"auth\", data));\n\t}\n}\n\n```\n\n## References\n* SEI CERT Oracle Coding Standard for Java: [SER03-J. Do not serialize unencrypted, sensitive data](https://wiki.sei.cmu.edu/confluence/display/java/SER03-J.+Do+not+serialize+unencrypted+sensitive+data).\n* M. Dowd, J. McDonald and J. Schuhm, *The Art of Software Security Assessment*, 1st Edition, Chapter 2 - 'Common Vulnerabilities of Encryption', p. 43. Addison Wesley, 2006.\n* M. Howard and D. LeBlanc, *Writing Secure Code*, 2nd Edition, Chapter 9 - 'Protecting Secret Data', p. 299. Microsoft, 2002.\n* Common Weakness Enumeration: [CWE-315](https://cwe.mitre.org/data/definitions/315.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-315",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-312/CleartextStorageCookie.ql",
+                  "precision": "high",
+                  "security-severity": "5"
+                }
+              },
+              {
+                "id": "java/command-line-injection",
+                "name": "java/command-line-injection",
+                "shortDescription": {
+                  "text": "Uncontrolled command line"
+                },
+                "fullDescription": {
+                  "text": "Using externally controlled strings in a command line is vulnerable to malicious changes in the strings."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Uncontrolled command line\nCode that passes user input directly to `Runtime.exec`, or some other library routine that executes a command, allows the user to execute malicious code.\n\n\n## Recommendation\nIf possible, use hard-coded string literals to specify the command to run or library to load. Instead of passing the user input directly to the process or library function, examine the user input and then choose among hard-coded string literals.\n\nIf the applicable libraries or commands cannot be determined at compile time, then add code to verify that the user input string is safe before using it.\n\n\n## Example\nThe following example shows code that takes a shell script that can be changed maliciously by a user, and passes it straight to `Runtime.exec` without examining it first.\n\n\n```java\nclass Test {\n    public static void main(String[] args) {\n        String script = System.getenv(\"SCRIPTNAME\");\n        if (script != null) {\n            // BAD: The script to be executed is controlled by the user.\n            Runtime.getRuntime().exec(script);\n        }\n    }\n}\n```\n\n## References\n* OWASP: [Command Injection](https://www.owasp.org/index.php/Command_Injection).\n* SEI CERT Oracle Coding Standard for Java: [IDS07-J. Sanitize untrusted data passed to the Runtime.exec() method](https://wiki.sei.cmu.edu/confluence/display/java/IDS07-J.+Sanitize+untrusted+data+passed+to+the+Runtime.exec()+method).\n* Common Weakness Enumeration: [CWE-78](https://cwe.mitre.org/data/definitions/78.html).\n* Common Weakness Enumeration: [CWE-88](https://cwe.mitre.org/data/definitions/88.html).\n",
+                  "markdown": "# Uncontrolled command line\nCode that passes user input directly to `Runtime.exec`, or some other library routine that executes a command, allows the user to execute malicious code.\n\n\n## Recommendation\nIf possible, use hard-coded string literals to specify the command to run or library to load. Instead of passing the user input directly to the process or library function, examine the user input and then choose among hard-coded string literals.\n\nIf the applicable libraries or commands cannot be determined at compile time, then add code to verify that the user input string is safe before using it.\n\n\n## Example\nThe following example shows code that takes a shell script that can be changed maliciously by a user, and passes it straight to `Runtime.exec` without examining it first.\n\n\n```java\nclass Test {\n    public static void main(String[] args) {\n        String script = System.getenv(\"SCRIPTNAME\");\n        if (script != null) {\n            // BAD: The script to be executed is controlled by the user.\n            Runtime.getRuntime().exec(script);\n        }\n    }\n}\n```\n\n## References\n* OWASP: [Command Injection](https://www.owasp.org/index.php/Command_Injection).\n* SEI CERT Oracle Coding Standard for Java: [IDS07-J. Sanitize untrusted data passed to the Runtime.exec() method](https://wiki.sei.cmu.edu/confluence/display/java/IDS07-J.+Sanitize+untrusted+data+passed+to+the+Runtime.exec()+method).\n* Common Weakness Enumeration: [CWE-78](https://cwe.mitre.org/data/definitions/78.html).\n* Common Weakness Enumeration: [CWE-88](https://cwe.mitre.org/data/definitions/88.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-078",
+                    "external/cwe/cwe-088",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-078/ExecTainted.ql",
+                  "precision": "high",
+                  "security-severity": "9.8"
+                }
+              },
+              {
+                "id": "java/concatenated-command-line",
+                "name": "java/concatenated-command-line",
+                "shortDescription": {
+                  "text": "Building a command line with string concatenation"
+                },
+                "fullDescription": {
+                  "text": "Using concatenated strings in a command line is vulnerable to malicious insertion of special characters in the strings."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Building a command line with string concatenation\nCode that builds a command line by concatenating strings that have been entered by a user allows the user to execute malicious code.\n\n\n## Recommendation\nExecute external commands using an array of strings rather than a single string. By using an array, many possible vulnerabilities in the formatting of the string are avoided.\n\n\n## Example\nIn the following example, `latlonCoords` contains a string that has been entered by a user but not validated by the program. This allows the user to, for example, append an ampersand (&) followed by the command for a malicious program to the end of the string. The ampersand instructs Windows to execute another program. In the block marked 'BAD', `latlonCoords` is passed to `exec` as part of a concatenated string, which allows more than one command to be executed. However, in the block marked 'GOOD', `latlonCoords` is passed as part of an array, which means that `exec` treats it only as an argument.\n\n\n```java\nclass Test {\n    public static void main(String[] args) {\n        // BAD: user input might include special characters such as ampersands\n        {\n            String latlonCoords = args[1];\n            Runtime rt = Runtime.getRuntime();\n            Process exec = rt.exec(\"cmd.exe /C latlon2utm.exe \" + latlonCoords);\n        }\n\n        // GOOD: use an array of arguments instead of executing a string\n        {\n            String latlonCoords = args[1];\n            Runtime rt = Runtime.getRuntime();\n            Process exec = rt.exec(new String[] {\n                    \"c:\\\\path\\to\\latlon2utm.exe\",\n                    latlonCoords });\n        }\n    }\n}\n\n```\n\n## References\n* OWASP: [Command Injection](https://www.owasp.org/index.php/Command_Injection).\n* SEI CERT Oracle Coding Standard for Java: [IDS07-J. Sanitize untrusted data passed to the Runtime.exec() method](https://wiki.sei.cmu.edu/confluence/display/java/IDS07-J.+Sanitize+untrusted+data+passed+to+the+Runtime.exec()+method).\n* Common Weakness Enumeration: [CWE-78](https://cwe.mitre.org/data/definitions/78.html).\n* Common Weakness Enumeration: [CWE-88](https://cwe.mitre.org/data/definitions/88.html).\n",
+                  "markdown": "# Building a command line with string concatenation\nCode that builds a command line by concatenating strings that have been entered by a user allows the user to execute malicious code.\n\n\n## Recommendation\nExecute external commands using an array of strings rather than a single string. By using an array, many possible vulnerabilities in the formatting of the string are avoided.\n\n\n## Example\nIn the following example, `latlonCoords` contains a string that has been entered by a user but not validated by the program. This allows the user to, for example, append an ampersand (&) followed by the command for a malicious program to the end of the string. The ampersand instructs Windows to execute another program. In the block marked 'BAD', `latlonCoords` is passed to `exec` as part of a concatenated string, which allows more than one command to be executed. However, in the block marked 'GOOD', `latlonCoords` is passed as part of an array, which means that `exec` treats it only as an argument.\n\n\n```java\nclass Test {\n    public static void main(String[] args) {\n        // BAD: user input might include special characters such as ampersands\n        {\n            String latlonCoords = args[1];\n            Runtime rt = Runtime.getRuntime();\n            Process exec = rt.exec(\"cmd.exe /C latlon2utm.exe \" + latlonCoords);\n        }\n\n        // GOOD: use an array of arguments instead of executing a string\n        {\n            String latlonCoords = args[1];\n            Runtime rt = Runtime.getRuntime();\n            Process exec = rt.exec(new String[] {\n                    \"c:\\\\path\\to\\latlon2utm.exe\",\n                    latlonCoords });\n        }\n    }\n}\n\n```\n\n## References\n* OWASP: [Command Injection](https://www.owasp.org/index.php/Command_Injection).\n* SEI CERT Oracle Coding Standard for Java: [IDS07-J. Sanitize untrusted data passed to the Runtime.exec() method](https://wiki.sei.cmu.edu/confluence/display/java/IDS07-J.+Sanitize+untrusted+data+passed+to+the+Runtime.exec()+method).\n* Common Weakness Enumeration: [CWE-78](https://cwe.mitre.org/data/definitions/78.html).\n* Common Weakness Enumeration: [CWE-88](https://cwe.mitre.org/data/definitions/88.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-078",
+                    "external/cwe/cwe-088",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-078/ExecUnescaped.ql",
+                  "precision": "high",
+                  "security-severity": "9.8"
+                }
+              },
+              {
+                "id": "java/error-message-exposure",
+                "name": "java/error-message-exposure",
+                "shortDescription": {
+                  "text": "Information exposure through an error message"
+                },
+                "fullDescription": {
+                  "text": "Information from an error message propagates to an external user. Error messages can unintentionally reveal implementation details that are useful to an attacker for developing a subsequent exploit."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Information exposure through an error message\nThe error message at the top of a stack trace can include information such as server-side file names and SQL code that the application relies on, allowing an attacker to fine-tune a subsequent injection attack.\n\n\n## Recommendation\nSend the user a more generic error message that reveals less information. Either suppress the error message entirely, or log it only on the server.\n\n\n## Example\nIn the following example, an exception is handled in two different ways. In the first version, labeled BAD, the exception is sent back to the remote user using the `getMessage()` method. As such, the user is able to see a detailed error message, which may contain sensitive information. In the second version, the error message is logged only on the server. That way, the developers can still access and use the error log, but remote users will not see the information.\n\n\n```java\nprotected void doGet(HttpServletRequest request, HttpServletResponse response) {\n\ttry {\n\t\tdoSomeWork();\n\t} catch (NullPointerException ex) {\n\t\t// BAD: printing a exception message back to the response\n\t\tresponse.sendError(\n\t\t\tHttpServletResponse.SC_INTERNAL_SERVER_ERROR,\n\t\t\tex.getMessage());\n\t\treturn;\n\t}\n\n\ttry {\n\t\tdoSomeWork();\n\t} catch (NullPointerException ex) {\n\t\t// GOOD: log the exception message, and send back a non-revealing response\n\t\tlog(\"Exception occurred\", ex.getMessage);\n\t\tresponse.sendError(\n\t\t\tHttpServletResponse.SC_INTERNAL_SERVER_ERROR,\n\t\t\t\"Exception occurred\");\n\t\treturn;\n\t}\n}\n\n```\n\n## References\n* OWASP: [Improper Error Handling](https://owasp.org/www-community/Improper_Error_Handling).\n* CERT Java Coding Standard: [ERR01-J. Do not allow exceptions to expose sensitive information](https://www.securecoding.cert.org/confluence/display/java/ERR01-J.+Do+not+allow+exceptions+to+expose+sensitive+information).\n* Common Weakness Enumeration: [CWE-209](https://cwe.mitre.org/data/definitions/209.html).\n",
+                  "markdown": "# Information exposure through an error message\nThe error message at the top of a stack trace can include information such as server-side file names and SQL code that the application relies on, allowing an attacker to fine-tune a subsequent injection attack.\n\n\n## Recommendation\nSend the user a more generic error message that reveals less information. Either suppress the error message entirely, or log it only on the server.\n\n\n## Example\nIn the following example, an exception is handled in two different ways. In the first version, labeled BAD, the exception is sent back to the remote user using the `getMessage()` method. As such, the user is able to see a detailed error message, which may contain sensitive information. In the second version, the error message is logged only on the server. That way, the developers can still access and use the error log, but remote users will not see the information.\n\n\n```java\nprotected void doGet(HttpServletRequest request, HttpServletResponse response) {\n\ttry {\n\t\tdoSomeWork();\n\t} catch (NullPointerException ex) {\n\t\t// BAD: printing a exception message back to the response\n\t\tresponse.sendError(\n\t\t\tHttpServletResponse.SC_INTERNAL_SERVER_ERROR,\n\t\t\tex.getMessage());\n\t\treturn;\n\t}\n\n\ttry {\n\t\tdoSomeWork();\n\t} catch (NullPointerException ex) {\n\t\t// GOOD: log the exception message, and send back a non-revealing response\n\t\tlog(\"Exception occurred\", ex.getMessage);\n\t\tresponse.sendError(\n\t\t\tHttpServletResponse.SC_INTERNAL_SERVER_ERROR,\n\t\t\t\"Exception occurred\");\n\t\treturn;\n\t}\n}\n\n```\n\n## References\n* OWASP: [Improper Error Handling](https://owasp.org/www-community/Improper_Error_Handling).\n* CERT Java Coding Standard: [ERR01-J. Do not allow exceptions to expose sensitive information](https://www.securecoding.cert.org/confluence/display/java/ERR01-J.+Do+not+allow+exceptions+to+expose+sensitive+information).\n* Common Weakness Enumeration: [CWE-209](https://cwe.mitre.org/data/definitions/209.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-209",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-209/SensitiveDataExposureThroughErrorMessage.ql",
+                  "precision": "high",
+                  "security-severity": "5.4"
+                }
+              },
+              {
+                "id": "java/groovy-injection",
+                "name": "java/groovy-injection",
+                "shortDescription": {
+                  "text": "Groovy Language injection"
+                },
+                "fullDescription": {
+                  "text": "Evaluation of a user-controlled Groovy script may lead to arbitrary code execution."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Groovy Language injection\nApache Groovy is a powerful, optionally typed and dynamic language, with static-typing and static compilation capabilities. It integrates smoothly with any Java program, and immediately delivers to your application powerful features, including scripting capabilities, Domain-Specific Language authoring, runtime and compile-time meta-programming and functional programming. If a Groovy script is built using attacker-controlled data, and then evaluated, then it may allow the attacker to achieve RCE.\n\n\n## Recommendation\nIt is generally recommended to avoid using untrusted input in a Groovy evaluation. If this is not possible, use a sandbox solution. Developers must also take care that Groovy compile-time metaprogramming can also lead to RCE: it is possible to achieve RCE by compiling a Groovy script (see the article \"Abusing Meta Programming for Unauthenticated RCE!\" linked below). Groovy's `SecureASTCustomizer` allows securing source code by controlling what code constructs are permitted. This is typically done when using Groovy for its scripting or domain specific language (DSL) features. The fundamental problem is that Groovy is a dynamic language, yet `SecureASTCustomizer` works by looking at Groovy AST statically. This makes it very easy for an attacker to bypass many of the intended checks (see \\[Groovy SecureASTCustomizer is harmful\\](https://kohsuke.org/2012/04/27/groovy-secureastcustomizer-is-harmful/)). Therefore, besides `SecureASTCustomizer`, runtime checks are also necessary before calling Groovy methods (see \\[Improved sandboxing of Groovy scripts\\](https://melix.github.io/blog/2015/03/sandboxing.html)). It is also possible to use a block-list method, excluding unwanted classes from being loaded by the JVM. This method is not always recommended, because block-lists can be bypassed by unexpected values.\n\n\n## Example\nThe following example uses untrusted data to evaluate a Groovy script.\n\n\n```java\npublic class GroovyInjection {\n    void injectionViaClassLoader(HttpServletRequest request) {    \n        String script = request.getParameter(\"script\");\n        final GroovyClassLoader classLoader = new GroovyClassLoader();\n        Class groovy = classLoader.parseClass(script);\n        GroovyObject groovyObj = (GroovyObject) groovy.newInstance();\n    }\n\n    void injectionViaEval(HttpServletRequest request) {\n        String script = request.getParameter(\"script\");\n        Eval.me(script);\n    }\n\n    void injectionViaGroovyShell(HttpServletRequest request) {\n        GroovyShell shell = new GroovyShell();\n        String script = request.getParameter(\"script\");\n        shell.evaluate(script);\n    }\n\n    void injectionViaGroovyShellGroovyCodeSource(HttpServletRequest request) {\n        GroovyShell shell = new GroovyShell();\n        String script = request.getParameter(\"script\");\n        GroovyCodeSource gcs = new GroovyCodeSource(script, \"test\", \"Test\");\n        shell.evaluate(gcs);\n    }\n}\n\n\n```\nThe following example uses classloader block-list approach to exclude loading dangerous classes.\n\n\n```java\npublic class SandboxGroovyClassLoader extends ClassLoader {\n    public SandboxGroovyClassLoader(ClassLoader parent) {\n        super(parent);\n    }\n\n    /* override `loadClass` here to prevent loading sensitive classes, such as `java.lang.Runtime`, `java.lang.ProcessBuilder`, `java.lang.System`, etc.  */\n    /* Note we must also block `groovy.transform.ASTTest`, `groovy.lang.GrabConfig` and `org.buildobjects.process.ProcBuilder` to prevent compile-time RCE. */\n\n    static void runWithSandboxGroovyClassLoader() throws Exception {\n        // GOOD: route all class-loading via sand-boxing classloader.\n        SandboxGroovyClassLoader classLoader = new GroovyClassLoader(new SandboxGroovyClassLoader());\n        \n        Class scriptClass = classLoader.parseClass(untrusted.getQueryString());\n        Object scriptInstance = scriptClass.newInstance();\n        Object result = scriptClass.getDeclaredMethod(\"bar\", new Class[]{}).invoke(scriptInstance, new Object[]{});\n    }\n}\n```\n\n## References\n* Orange Tsai: [Abusing Meta Programming for Unauthenticated RCE!](https://blog.orange.tw/2019/02/abusing-meta-programming-for-unauthenticated-rce.html).\n* Cédric Champeau: [Improved sandboxing of Groovy scripts](https://melix.github.io/blog/2015/03/sandboxing.html).\n* Kohsuke Kawaguchi: [Groovy SecureASTCustomizer is harmful](https://kohsuke.org/2012/04/27/groovy-secureastcustomizer-is-harmful/).\n* Welk1n: [Groovy Injection payloads](https://github.com/welk1n/exploiting-groovy-in-Java/).\n* Charles Chan: [Secure Groovy Script Execution in a Sandbox](https://levelup.gitconnected.com/secure-groovy-script-execution-in-a-sandbox-ea39f80ee87/).\n* Eugene: [Scripting and sandboxing in a JVM environment](https://stringconcat.com/en/scripting-and-sandboxing/).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n",
+                  "markdown": "# Groovy Language injection\nApache Groovy is a powerful, optionally typed and dynamic language, with static-typing and static compilation capabilities. It integrates smoothly with any Java program, and immediately delivers to your application powerful features, including scripting capabilities, Domain-Specific Language authoring, runtime and compile-time meta-programming and functional programming. If a Groovy script is built using attacker-controlled data, and then evaluated, then it may allow the attacker to achieve RCE.\n\n\n## Recommendation\nIt is generally recommended to avoid using untrusted input in a Groovy evaluation. If this is not possible, use a sandbox solution. Developers must also take care that Groovy compile-time metaprogramming can also lead to RCE: it is possible to achieve RCE by compiling a Groovy script (see the article \"Abusing Meta Programming for Unauthenticated RCE!\" linked below). Groovy's `SecureASTCustomizer` allows securing source code by controlling what code constructs are permitted. This is typically done when using Groovy for its scripting or domain specific language (DSL) features. The fundamental problem is that Groovy is a dynamic language, yet `SecureASTCustomizer` works by looking at Groovy AST statically. This makes it very easy for an attacker to bypass many of the intended checks (see \\[Groovy SecureASTCustomizer is harmful\\](https://kohsuke.org/2012/04/27/groovy-secureastcustomizer-is-harmful/)). Therefore, besides `SecureASTCustomizer`, runtime checks are also necessary before calling Groovy methods (see \\[Improved sandboxing of Groovy scripts\\](https://melix.github.io/blog/2015/03/sandboxing.html)). It is also possible to use a block-list method, excluding unwanted classes from being loaded by the JVM. This method is not always recommended, because block-lists can be bypassed by unexpected values.\n\n\n## Example\nThe following example uses untrusted data to evaluate a Groovy script.\n\n\n```java\npublic class GroovyInjection {\n    void injectionViaClassLoader(HttpServletRequest request) {    \n        String script = request.getParameter(\"script\");\n        final GroovyClassLoader classLoader = new GroovyClassLoader();\n        Class groovy = classLoader.parseClass(script);\n        GroovyObject groovyObj = (GroovyObject) groovy.newInstance();\n    }\n\n    void injectionViaEval(HttpServletRequest request) {\n        String script = request.getParameter(\"script\");\n        Eval.me(script);\n    }\n\n    void injectionViaGroovyShell(HttpServletRequest request) {\n        GroovyShell shell = new GroovyShell();\n        String script = request.getParameter(\"script\");\n        shell.evaluate(script);\n    }\n\n    void injectionViaGroovyShellGroovyCodeSource(HttpServletRequest request) {\n        GroovyShell shell = new GroovyShell();\n        String script = request.getParameter(\"script\");\n        GroovyCodeSource gcs = new GroovyCodeSource(script, \"test\", \"Test\");\n        shell.evaluate(gcs);\n    }\n}\n\n\n```\nThe following example uses classloader block-list approach to exclude loading dangerous classes.\n\n\n```java\npublic class SandboxGroovyClassLoader extends ClassLoader {\n    public SandboxGroovyClassLoader(ClassLoader parent) {\n        super(parent);\n    }\n\n    /* override `loadClass` here to prevent loading sensitive classes, such as `java.lang.Runtime`, `java.lang.ProcessBuilder`, `java.lang.System`, etc.  */\n    /* Note we must also block `groovy.transform.ASTTest`, `groovy.lang.GrabConfig` and `org.buildobjects.process.ProcBuilder` to prevent compile-time RCE. */\n\n    static void runWithSandboxGroovyClassLoader() throws Exception {\n        // GOOD: route all class-loading via sand-boxing classloader.\n        SandboxGroovyClassLoader classLoader = new GroovyClassLoader(new SandboxGroovyClassLoader());\n        \n        Class scriptClass = classLoader.parseClass(untrusted.getQueryString());\n        Object scriptInstance = scriptClass.newInstance();\n        Object result = scriptClass.getDeclaredMethod(\"bar\", new Class[]{}).invoke(scriptInstance, new Object[]{});\n    }\n}\n```\n\n## References\n* Orange Tsai: [Abusing Meta Programming for Unauthenticated RCE!](https://blog.orange.tw/2019/02/abusing-meta-programming-for-unauthenticated-rce.html).\n* Cédric Champeau: [Improved sandboxing of Groovy scripts](https://melix.github.io/blog/2015/03/sandboxing.html).\n* Kohsuke Kawaguchi: [Groovy SecureASTCustomizer is harmful](https://kohsuke.org/2012/04/27/groovy-secureastcustomizer-is-harmful/).\n* Welk1n: [Groovy Injection payloads](https://github.com/welk1n/exploiting-groovy-in-Java/).\n* Charles Chan: [Secure Groovy Script Execution in a Sandbox](https://levelup.gitconnected.com/secure-groovy-script-execution-in-a-sandbox-ea39f80ee87/).\n* Eugene: [Scripting and sandboxing in a JVM environment](https://stringconcat.com/en/scripting-and-sandboxing/).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-094",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-094/GroovyInjection.ql",
+                  "precision": "high",
+                  "security-severity": "9.3"
+                }
+              },
+              {
+                "id": "java/http-response-splitting",
+                "name": "java/http-response-splitting",
+                "shortDescription": {
+                  "text": "HTTP response splitting"
+                },
+                "fullDescription": {
+                  "text": "Writing user input directly to an HTTP header makes code vulnerable to attack by header splitting."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# HTTP response splitting\nDirectly writing user input (for example, an HTTP request parameter) to an HTTP header can lead to an HTTP request-splitting or response-splitting vulnerability.\n\nHTTP response splitting can lead to vulnerabilities such as XSS and cache poisoning.\n\nHTTP request splitting can allow an attacker to inject an additional HTTP request into a client's outgoing socket connection. This can allow an attacker to perform an SSRF-like attack.\n\nIn the context of a servlet container, if the user input includes blank lines and the servlet container does not escape the blank lines, then a remote user can cause the response to turn into two separate responses. The remote user can then control one or more responses, which is also HTTP response splitting.\n\n\n## Recommendation\nGuard against HTTP header splitting in the same way as guarding against cross-site scripting. Before passing any data into HTTP headers, either check the data for special characters, or escape any special characters that are present.\n\nIf the code calls Netty API's directly, ensure that the `validateHeaders` parameter is set to `true`.\n\n\n## Example\nThe following example shows the 'name' parameter being written to a cookie in two different ways. The first way writes it directly to the cookie, and thus is vulnerable to response-splitting attacks. The second way first removes all special characters, thus avoiding the potential problem.\n\n\n```java\npublic class ResponseSplitting extends HttpServlet {\n\tprotected void doGet(HttpServletRequest request, HttpServletResponse response)\n\tthrows ServletException, IOException {\n\t\t// BAD: setting a cookie with an unvalidated parameter\n\t\tCookie cookie = new Cookie(\"name\", request.getParameter(\"name\"));\n\t\tresponse.addCookie(cookie);\n\n\t\t// GOOD: remove special characters before putting them in the header\n\t\tString name = removeSpecial(request.getParameter(\"name\"));\n\t\tCookie cookie2 = new Cookie(\"name\", name);\n\t\tresponse.addCookie(cookie2);\n\t}\n\n\tprivate static String removeSpecial(String str) {\n\t\treturn str.replaceAll(\"[^a-zA-Z ]\", \"\");\n\t}\n}\n\n```\n\n## Example\nThe following example shows the use of the library 'netty' with HTTP response-splitting verification configurations. The second way will verify the parameters before using them to build the HTTP response.\n\n\n```java\nimport io.netty.handler.codec.http.DefaultHttpHeaders;\n\npublic class ResponseSplitting {\n    // BAD: Disables the internal response splitting verification\n    private final DefaultHttpHeaders badHeaders = new DefaultHttpHeaders(false);\n\n    // GOOD: Verifies headers passed don't contain CRLF characters\n    private final DefaultHttpHeaders goodHeaders = new DefaultHttpHeaders();\n\n    // BAD: Disables the internal response splitting verification\n    private final DefaultHttpResponse badResponse = new DefaultHttpResponse(version, httpResponseStatus, false);\n\n    // GOOD: Verifies headers passed don't contain CRLF characters\n    private final DefaultHttpResponse goodResponse = new DefaultHttpResponse(version, httpResponseStatus);\n}\n\n```\n\n## Example\nThe following example shows the use of the netty library with configurations for verification of HTTP request splitting. The second recommended approach in the example verifies the parameters before using them to build the HTTP request.\n\n\n```java\npublic class NettyRequestSplitting {\n    // BAD: Disables the internal request splitting verification\n    private final DefaultHttpHeaders badHeaders = new DefaultHttpHeaders(false);\n\n    // GOOD: Verifies headers passed don't contain CRLF characters\n    private final DefaultHttpHeaders goodHeaders = new DefaultHttpHeaders();\n\n    // BAD: Disables the internal request splitting verification\n    private final DefaultHttpRequest badRequest = new DefaultHttpRequest(httpVersion, method, uri, false);\n\n    // GOOD: Verifies headers passed don't contain CRLF characters\n    private final DefaultHttpRequest goodResponse = new DefaultHttpRequest(httpVersion, method, uri);\n}\n\n```\n\n## References\n* SecLists.org: [HTTP response splitting](https://seclists.org/bugtraq/2005/Apr/187).\n* OWASP: [HTTP Response Splitting](https://www.owasp.org/index.php/HTTP_Response_Splitting).\n* Wikipedia: [HTTP response splitting](http://en.wikipedia.org/wiki/HTTP_response_splitting).\n* CAPEC: [CAPEC-105: HTTP Request Splitting](https://capec.mitre.org/data/definitions/105.html)\n* Common Weakness Enumeration: [CWE-113](https://cwe.mitre.org/data/definitions/113.html).\n",
+                  "markdown": "# HTTP response splitting\nDirectly writing user input (for example, an HTTP request parameter) to an HTTP header can lead to an HTTP request-splitting or response-splitting vulnerability.\n\nHTTP response splitting can lead to vulnerabilities such as XSS and cache poisoning.\n\nHTTP request splitting can allow an attacker to inject an additional HTTP request into a client's outgoing socket connection. This can allow an attacker to perform an SSRF-like attack.\n\nIn the context of a servlet container, if the user input includes blank lines and the servlet container does not escape the blank lines, then a remote user can cause the response to turn into two separate responses. The remote user can then control one or more responses, which is also HTTP response splitting.\n\n\n## Recommendation\nGuard against HTTP header splitting in the same way as guarding against cross-site scripting. Before passing any data into HTTP headers, either check the data for special characters, or escape any special characters that are present.\n\nIf the code calls Netty API's directly, ensure that the `validateHeaders` parameter is set to `true`.\n\n\n## Example\nThe following example shows the 'name' parameter being written to a cookie in two different ways. The first way writes it directly to the cookie, and thus is vulnerable to response-splitting attacks. The second way first removes all special characters, thus avoiding the potential problem.\n\n\n```java\npublic class ResponseSplitting extends HttpServlet {\n\tprotected void doGet(HttpServletRequest request, HttpServletResponse response)\n\tthrows ServletException, IOException {\n\t\t// BAD: setting a cookie with an unvalidated parameter\n\t\tCookie cookie = new Cookie(\"name\", request.getParameter(\"name\"));\n\t\tresponse.addCookie(cookie);\n\n\t\t// GOOD: remove special characters before putting them in the header\n\t\tString name = removeSpecial(request.getParameter(\"name\"));\n\t\tCookie cookie2 = new Cookie(\"name\", name);\n\t\tresponse.addCookie(cookie2);\n\t}\n\n\tprivate static String removeSpecial(String str) {\n\t\treturn str.replaceAll(\"[^a-zA-Z ]\", \"\");\n\t}\n}\n\n```\n\n## Example\nThe following example shows the use of the library 'netty' with HTTP response-splitting verification configurations. The second way will verify the parameters before using them to build the HTTP response.\n\n\n```java\nimport io.netty.handler.codec.http.DefaultHttpHeaders;\n\npublic class ResponseSplitting {\n    // BAD: Disables the internal response splitting verification\n    private final DefaultHttpHeaders badHeaders = new DefaultHttpHeaders(false);\n\n    // GOOD: Verifies headers passed don't contain CRLF characters\n    private final DefaultHttpHeaders goodHeaders = new DefaultHttpHeaders();\n\n    // BAD: Disables the internal response splitting verification\n    private final DefaultHttpResponse badResponse = new DefaultHttpResponse(version, httpResponseStatus, false);\n\n    // GOOD: Verifies headers passed don't contain CRLF characters\n    private final DefaultHttpResponse goodResponse = new DefaultHttpResponse(version, httpResponseStatus);\n}\n\n```\n\n## Example\nThe following example shows the use of the netty library with configurations for verification of HTTP request splitting. The second recommended approach in the example verifies the parameters before using them to build the HTTP request.\n\n\n```java\npublic class NettyRequestSplitting {\n    // BAD: Disables the internal request splitting verification\n    private final DefaultHttpHeaders badHeaders = new DefaultHttpHeaders(false);\n\n    // GOOD: Verifies headers passed don't contain CRLF characters\n    private final DefaultHttpHeaders goodHeaders = new DefaultHttpHeaders();\n\n    // BAD: Disables the internal request splitting verification\n    private final DefaultHttpRequest badRequest = new DefaultHttpRequest(httpVersion, method, uri, false);\n\n    // GOOD: Verifies headers passed don't contain CRLF characters\n    private final DefaultHttpRequest goodResponse = new DefaultHttpRequest(httpVersion, method, uri);\n}\n\n```\n\n## References\n* SecLists.org: [HTTP response splitting](https://seclists.org/bugtraq/2005/Apr/187).\n* OWASP: [HTTP Response Splitting](https://www.owasp.org/index.php/HTTP_Response_Splitting).\n* Wikipedia: [HTTP response splitting](http://en.wikipedia.org/wiki/HTTP_response_splitting).\n* CAPEC: [CAPEC-105: HTTP Request Splitting](https://capec.mitre.org/data/definitions/105.html)\n* Common Weakness Enumeration: [CWE-113](https://cwe.mitre.org/data/definitions/113.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-113",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-113/ResponseSplitting.ql",
+                  "precision": "high",
+                  "security-severity": "6.1"
+                }
+              },
+              {
+                "id": "java/implicit-cast-in-compound-assignment",
+                "name": "java/implicit-cast-in-compound-assignment",
+                "shortDescription": {
+                  "text": "Implicit narrowing conversion in compound assignment"
+                },
+                "fullDescription": {
+                  "text": "Compound assignment statements (for example 'intvar += longvar') that implicitly cast a value of a wider type to a narrower type may result in information loss and numeric errors such as overflows."
+                },
+                "defaultConfiguration": {},
+                "help": {
+                  "text": "# Implicit narrowing conversion in compound assignment\nCompound assignment statements of the form `x += y` or `x *= y` perform an implicit narrowing conversion if the type of `x` is narrower than the type of `y`. For example, `x += y` is equivalent to `x = (T)(x + y)`, where `T` is the type of `x`. This can result in information loss and numeric errors such as overflows.\n\n\n## Recommendation\nEnsure that the type of the left-hand side of the compound assignment statement is at least as wide as the type of the right-hand side.\n\n\n## Example\nIf `x` is of type `short` and `y` is of type `int`, the expression `x + y` is of type `int`. However, the expression `x += y` is equivalent to `x = (short) (x + y)`. The expression `x + y` is cast to the type of the left-hand side of the assignment: `short`, possibly leading to information loss.\n\nTo avoid implicitly narrowing the type of `x + y`, change the type of `x` to `int`. Then the types of `x` and `x + y` are both `int` and there is no need for an implicit cast.\n\n\n## References\n* J. Bloch and N. Gafter, *Java Puzzlers: Traps, Pitfalls, and Corner Cases*, Puzzle 9. Addison-Wesley, 2005.\n* Java Language Specification: [Compound Assignment Operators](https://docs.oracle.com/javase/specs/jls/se11/html/jls-15.html#jls-15.26.2), [Narrowing Primitive Conversion](https://docs.oracle.com/javase/specs/jls/se11/html/jls-5.html#jls-5.1.3).\n* SEI CERT Oracle Coding Standard for Java: [NUM00-J. Detect or prevent integer overflow](https://wiki.sei.cmu.edu/confluence/display/java/NUM00-J.+Detect+or+prevent+integer+overflow).\n* Common Weakness Enumeration: [CWE-190](https://cwe.mitre.org/data/definitions/190.html).\n* Common Weakness Enumeration: [CWE-192](https://cwe.mitre.org/data/definitions/192.html).\n* Common Weakness Enumeration: [CWE-197](https://cwe.mitre.org/data/definitions/197.html).\n* Common Weakness Enumeration: [CWE-681](https://cwe.mitre.org/data/definitions/681.html).\n",
+                  "markdown": "# Implicit narrowing conversion in compound assignment\nCompound assignment statements of the form `x += y` or `x *= y` perform an implicit narrowing conversion if the type of `x` is narrower than the type of `y`. For example, `x += y` is equivalent to `x = (T)(x + y)`, where `T` is the type of `x`. This can result in information loss and numeric errors such as overflows.\n\n\n## Recommendation\nEnsure that the type of the left-hand side of the compound assignment statement is at least as wide as the type of the right-hand side.\n\n\n## Example\nIf `x` is of type `short` and `y` is of type `int`, the expression `x + y` is of type `int`. However, the expression `x += y` is equivalent to `x = (short) (x + y)`. The expression `x + y` is cast to the type of the left-hand side of the assignment: `short`, possibly leading to information loss.\n\nTo avoid implicitly narrowing the type of `x + y`, change the type of `x` to `int`. Then the types of `x` and `x + y` are both `int` and there is no need for an implicit cast.\n\n\n## References\n* J. Bloch and N. Gafter, *Java Puzzlers: Traps, Pitfalls, and Corner Cases*, Puzzle 9. Addison-Wesley, 2005.\n* Java Language Specification: [Compound Assignment Operators](https://docs.oracle.com/javase/specs/jls/se11/html/jls-15.html#jls-15.26.2), [Narrowing Primitive Conversion](https://docs.oracle.com/javase/specs/jls/se11/html/jls-5.html#jls-5.1.3).\n* SEI CERT Oracle Coding Standard for Java: [NUM00-J. Detect or prevent integer overflow](https://wiki.sei.cmu.edu/confluence/display/java/NUM00-J.+Detect+or+prevent+integer+overflow).\n* Common Weakness Enumeration: [CWE-190](https://cwe.mitre.org/data/definitions/190.html).\n* Common Weakness Enumeration: [CWE-192](https://cwe.mitre.org/data/definitions/192.html).\n* Common Weakness Enumeration: [CWE-197](https://cwe.mitre.org/data/definitions/197.html).\n* Common Weakness Enumeration: [CWE-681](https://cwe.mitre.org/data/definitions/681.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-190",
+                    "external/cwe/cwe-192",
+                    "external/cwe/cwe-197",
+                    "external/cwe/cwe-681",
+                    "reliability",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Likely%20Bugs/Arithmetic/InformationLoss.ql",
+                  "precision": "very-high",
+                  "security-severity": "8.1"
+                }
+              },
+              {
+                "id": "java/improper-intent-verification",
+                "name": "java/improper-intent-verification",
+                "shortDescription": {
+                  "text": "Improper verification of intent by broadcast receiver"
+                },
+                "fullDescription": {
+                  "text": "A broadcast receiver that does not verify intents it receives may be susceptible to unintended behavior by third party applications sending it explicit intents."
+                },
+                "defaultConfiguration": {},
+                "help": {
+                  "text": "# Improper verification of intent by broadcast receiver\nWhen an Android application uses a `BroadcastReceiver` to receive intents, it is also able to receive explicit intents that are sent directly to it, regardless of its filter. Certain intent actions are only able to be sent by the operating system, not third-party applications. However, a `BroadcastReceiver` that is registered to receive system intents is still able to receive intents from a third-party application, so it should check that the intent received has the expected action. Otherwise, a third-party application could impersonate the system this way to cause unintended behavior, such as a denial of service.\n\n\n## Example\nIn the following code, the `ShutdownReceiver` initiates a shutdown procedure upon receiving an intent, without checking that the received action is indeed `ACTION_SHUTDOWN`. This allows third-party applications to send explicit intents to this receiver to cause a denial of service.\n\n\n```java\npublic class ShutdownReceiver extends BroadcastReceiver {\n    @Override\n    public void onReceive(final Context context, final Intent intent) {\n        mainActivity.saveLocalData();\n        mainActivity.stopActivity();\n    }\n}\n```\n\n```xml\n\n    \n        \n            \n                \n            \n        \n    \n\n```\n\n## Recommendation\nIn the `onReceive` method of a `BroadcastReceiver`, the action of the received Intent should be checked. The following code demonstrates this.\n\n\n```java\npublic class ShutdownReceiver extends BroadcastReceiver {\n    @Override\n    public void onReceive(final Context context, final Intent intent) {\n        if (!intent.getAction().equals(Intent.ACTION_SHUTDOWN)) {\n            return;\n        }\n        mainActivity.saveLocalData();\n        mainActivity.stopActivity();\n    }\n}\n```\n\n## References\n* Common Weakness Enumeration: [CWE-925](https://cwe.mitre.org/data/definitions/925.html).\n",
+                  "markdown": "# Improper verification of intent by broadcast receiver\nWhen an Android application uses a `BroadcastReceiver` to receive intents, it is also able to receive explicit intents that are sent directly to it, regardless of its filter. Certain intent actions are only able to be sent by the operating system, not third-party applications. However, a `BroadcastReceiver` that is registered to receive system intents is still able to receive intents from a third-party application, so it should check that the intent received has the expected action. Otherwise, a third-party application could impersonate the system this way to cause unintended behavior, such as a denial of service.\n\n\n## Example\nIn the following code, the `ShutdownReceiver` initiates a shutdown procedure upon receiving an intent, without checking that the received action is indeed `ACTION_SHUTDOWN`. This allows third-party applications to send explicit intents to this receiver to cause a denial of service.\n\n\n```java\npublic class ShutdownReceiver extends BroadcastReceiver {\n    @Override\n    public void onReceive(final Context context, final Intent intent) {\n        mainActivity.saveLocalData();\n        mainActivity.stopActivity();\n    }\n}\n```\n\n```xml\n\n    \n        \n            \n                \n            \n        \n    \n\n```\n\n## Recommendation\nIn the `onReceive` method of a `BroadcastReceiver`, the action of the received Intent should be checked. The following code demonstrates this.\n\n\n```java\npublic class ShutdownReceiver extends BroadcastReceiver {\n    @Override\n    public void onReceive(final Context context, final Intent intent) {\n        if (!intent.getAction().equals(Intent.ACTION_SHUTDOWN)) {\n            return;\n        }\n        mainActivity.saveLocalData();\n        mainActivity.stopActivity();\n    }\n}\n```\n\n## References\n* Common Weakness Enumeration: [CWE-925](https://cwe.mitre.org/data/definitions/925.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-925",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-925/ImproperIntentVerification.ql",
+                  "precision": "high",
+                  "security-severity": "8.2"
+                }
+              },
+              {
+                "id": "java/improper-webview-certificate-validation",
+                "name": "java/improper-webview-certificate-validation",
+                "shortDescription": {
+                  "text": "Android `WebView` that accepts all certificates"
+                },
+                "fullDescription": {
+                  "text": "Trusting all certificates allows an attacker to perform a machine-in-the-middle attack."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Android `WebView` that accepts all certificates\nIf the `onReceivedSslError` method of an Android `WebViewClient` always calls `proceed` on the given `SslErrorHandler`, it trusts any certificate. This allows an attacker to perform a machine-in-the-middle attack against the application, therefore breaking any security Transport Layer Security (TLS) gives.\n\nAn attack might look like this:\n\n1. The vulnerable application connects to `https://example.com`.\n1. The attacker intercepts this connection and presents a valid, self-signed certificate for `https://example.com`.\n1. The vulnerable application calls the `onReceivedSslError` method to check whether it should trust the certificate.\n1. The `onReceivedSslError` method of your `WebViewClient` calls `SslErrorHandler.proceed`.\n1. The vulnerable application accepts the certificate and proceeds with the connection since your `WevViewClient` trusted it by proceeding.\n1. The attacker can now read the data your application sends to `https://example.com` and/or alter its replies while the application thinks the connection is secure.\n\n## Recommendation\nDo not use a call `SslerrorHandler.proceed` unconditionally. If you have to use a self-signed certificate, only accept that certificate, not all certificates.\n\n\n## Example\nIn the first (bad) example, the `WebViewClient` trusts all certificates by always calling `SslErrorHandler.proceed`. In the second (good) example, only certificates signed by a certain public key are accepted.\n\n\n```java\nclass Bad extends WebViewClient {\n    // BAD: All certificates are trusted.\n    public void onReceivedSslError (WebView view, SslErrorHandler handler, SslError error) { // $hasResult\n        handler.proceed(); \n    }\n}\n\nclass Good extends WebViewClient {\n    PublicKey myPubKey = ...;\n\n    // GOOD: Only certificates signed by a certain public key are trusted.\n    public void onReceivedSslError (WebView view, SslErrorHandler handler, SslError error) { // $hasResult\n        try {\n            X509Certificate cert = error.getCertificate().getX509Certificate();\n            cert.verify(this.myPubKey);\n            handler.proceed();\n        }\n        catch (CertificateException|NoSuchAlgorithmException|InvalidKeyException|NoSuchProviderException|SignatureException e) {\n            handler.cancel();\n        }\n    }    \n}\n```\n\n## References\n* [WebViewClient.onReceivedSslError documentation](https://developer.android.com/reference/android/webkit/WebViewClient?hl=en#onReceivedSslError(android.webkit.WebView,%20android.webkit.SslErrorHandler,%20android.net.http.SslError)).\n* Common Weakness Enumeration: [CWE-295](https://cwe.mitre.org/data/definitions/295.html).\n",
+                  "markdown": "# Android `WebView` that accepts all certificates\nIf the `onReceivedSslError` method of an Android `WebViewClient` always calls `proceed` on the given `SslErrorHandler`, it trusts any certificate. This allows an attacker to perform a machine-in-the-middle attack against the application, therefore breaking any security Transport Layer Security (TLS) gives.\n\nAn attack might look like this:\n\n1. The vulnerable application connects to `https://example.com`.\n1. The attacker intercepts this connection and presents a valid, self-signed certificate for `https://example.com`.\n1. The vulnerable application calls the `onReceivedSslError` method to check whether it should trust the certificate.\n1. The `onReceivedSslError` method of your `WebViewClient` calls `SslErrorHandler.proceed`.\n1. The vulnerable application accepts the certificate and proceeds with the connection since your `WevViewClient` trusted it by proceeding.\n1. The attacker can now read the data your application sends to `https://example.com` and/or alter its replies while the application thinks the connection is secure.\n\n## Recommendation\nDo not use a call `SslerrorHandler.proceed` unconditionally. If you have to use a self-signed certificate, only accept that certificate, not all certificates.\n\n\n## Example\nIn the first (bad) example, the `WebViewClient` trusts all certificates by always calling `SslErrorHandler.proceed`. In the second (good) example, only certificates signed by a certain public key are accepted.\n\n\n```java\nclass Bad extends WebViewClient {\n    // BAD: All certificates are trusted.\n    public void onReceivedSslError (WebView view, SslErrorHandler handler, SslError error) { // $hasResult\n        handler.proceed(); \n    }\n}\n\nclass Good extends WebViewClient {\n    PublicKey myPubKey = ...;\n\n    // GOOD: Only certificates signed by a certain public key are trusted.\n    public void onReceivedSslError (WebView view, SslErrorHandler handler, SslError error) { // $hasResult\n        try {\n            X509Certificate cert = error.getCertificate().getX509Certificate();\n            cert.verify(this.myPubKey);\n            handler.proceed();\n        }\n        catch (CertificateException|NoSuchAlgorithmException|InvalidKeyException|NoSuchProviderException|SignatureException e) {\n            handler.cancel();\n        }\n    }    \n}\n```\n\n## References\n* [WebViewClient.onReceivedSslError documentation](https://developer.android.com/reference/android/webkit/WebViewClient?hl=en#onReceivedSslError(android.webkit.WebView,%20android.webkit.SslErrorHandler,%20android.net.http.SslError)).\n* Common Weakness Enumeration: [CWE-295](https://cwe.mitre.org/data/definitions/295.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-295",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-295/ImproperWebViewCertificateValidation.ql",
+                  "precision": "high",
+                  "security-severity": "7.5"
+                }
+              },
+              {
+                "id": "java/insecure-bean-validation",
+                "name": "java/insecure-bean-validation",
+                "shortDescription": {
+                  "text": "Insecure Bean Validation"
+                },
+                "fullDescription": {
+                  "text": "User-controlled data may be evaluated as a Java EL expression, leading to arbitrary code execution."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Insecure Bean Validation\nCustom error messages for constraint validators support different types of interpolation, including [Java EL expressions](https://docs.jboss.org/hibernate/validator/5.1/reference/en-US/html/chapter-message-interpolation.html#section-interpolation-with-message-expressions). Controlling part of the message template being passed to `ConstraintValidatorContext.buildConstraintViolationWithTemplate()` argument can lead to arbitrary Java code execution. Unfortunately, it is common that validated (and therefore, normally untrusted) bean properties flow into the custom error message.\n\n\n## Recommendation\nThere are different approaches to remediate the issue:\n\n* Do not include validated bean properties in the custom error message.\n* Use parameterized messages instead of string concatenation. For example:\n```\nHibernateConstraintValidatorContext context =\n   constraintValidatorContext.unwrap(HibernateConstraintValidatorContext.class);\ncontext.addMessageParameter(\"foo\", \"bar\");\ncontext.buildConstraintViolationWithTemplate(\"My violation message contains a parameter {foo}\")\n   .addConstraintViolation();\n```\n* Sanitize the validated bean properties to make sure that there are no EL expressions. An example of valid sanitization logic can be found [here](https://github.com/hibernate/hibernate-validator/blob/master/engine/src/main/java/org/hibernate/validator/internal/engine/messageinterpolation/util/InterpolationHelper.java#L17).\n* Disable the EL interpolation and only use `ParameterMessageInterpolator`:\n```\nValidator validator = Validation.byDefaultProvider()\n   .configure()\n   .messageInterpolator(new ParameterMessageInterpolator())\n   .buildValidatorFactory()\n   .getValidator();\n```\n* Replace Hibernate Validator with Apache BVal, which in its latest version does not interpolate EL expressions by default. Note that this replacement may not be a simple drop-in replacement.\n\n## Example\nThe following validator could result in arbitrary Java code execution:\n\n\n```java\nimport javax.validation.ConstraintValidator;\nimport javax.validation.ConstraintValidatorContext;\nimport org.hibernate.validator.constraintvalidation.HibernateConstraintValidatorContext;\nimport java.util.regex.Matcher;\nimport java.util.regex.Pattern;\n\npublic class TestValidator implements ConstraintValidator {\n\n    public static class InterpolationHelper {\n\n        public static final char BEGIN_TERM = '{';\n        public static final char END_TERM = '}';\n        public static final char EL_DESIGNATOR = '$';\n        public static final char ESCAPE_CHARACTER = '\\\\';\n\n        private static final Pattern ESCAPE_MESSAGE_PARAMETER_PATTERN = Pattern.compile( \"([\\\\\" + ESCAPE_CHARACTER + BEGIN_TERM + END_TERM + EL_DESIGNATOR + \"])\" );\n\n        private InterpolationHelper() {\n        }\n\n        public static String escapeMessageParameter(String messageParameter) {\n            if ( messageParameter == null ) {\n                return null;\n            }\n            return ESCAPE_MESSAGE_PARAMETER_PATTERN.matcher( messageParameter ).replaceAll( Matcher.quoteReplacement( String.valueOf( ESCAPE_CHARACTER ) ) + \"$1\" );\n        }\n\n    }\n\n    @Override\n    public boolean isValid(String object, ConstraintValidatorContext constraintContext) {\n        String value = object + \" is invalid\";\n\n        // Bad: Bean properties (normally user-controlled) are passed directly to `buildConstraintViolationWithTemplate`\n        constraintContext.buildConstraintViolationWithTemplate(value).addConstraintViolation().disableDefaultConstraintViolation();\n\n        // Good: Bean properties (normally user-controlled) are escaped \n        String escaped = InterpolationHelper.escapeMessageParameter(value);\n        constraintContext.buildConstraintViolationWithTemplate(escaped).addConstraintViolation().disableDefaultConstraintViolation();\n\n        // Good: Bean properties (normally user-controlled) are parameterized\n        HibernateConstraintValidatorContext context = constraintContext.unwrap( HibernateConstraintValidatorContext.class );\n        context.addMessageParameter( \"prop\", object );\n        context.buildConstraintViolationWithTemplate( \"{prop} is invalid\").addConstraintViolation();\n        return false;\n    }\n\n}\n\n```\n\n## References\n* Hibernate Reference Guide: [ConstraintValidatorContext](https://docs.jboss.org/hibernate/stable/validator/reference/en-US/html_single/#_the_code_constraintvalidatorcontext_code).\n* GitHub Security Lab research: [Bean validation](https://securitylab.github.com/research/bean-validation-RCE).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n",
+                  "markdown": "# Insecure Bean Validation\nCustom error messages for constraint validators support different types of interpolation, including [Java EL expressions](https://docs.jboss.org/hibernate/validator/5.1/reference/en-US/html/chapter-message-interpolation.html#section-interpolation-with-message-expressions). Controlling part of the message template being passed to `ConstraintValidatorContext.buildConstraintViolationWithTemplate()` argument can lead to arbitrary Java code execution. Unfortunately, it is common that validated (and therefore, normally untrusted) bean properties flow into the custom error message.\n\n\n## Recommendation\nThere are different approaches to remediate the issue:\n\n* Do not include validated bean properties in the custom error message.\n* Use parameterized messages instead of string concatenation. For example:\n```\nHibernateConstraintValidatorContext context =\n   constraintValidatorContext.unwrap(HibernateConstraintValidatorContext.class);\ncontext.addMessageParameter(\"foo\", \"bar\");\ncontext.buildConstraintViolationWithTemplate(\"My violation message contains a parameter {foo}\")\n   .addConstraintViolation();\n```\n* Sanitize the validated bean properties to make sure that there are no EL expressions. An example of valid sanitization logic can be found [here](https://github.com/hibernate/hibernate-validator/blob/master/engine/src/main/java/org/hibernate/validator/internal/engine/messageinterpolation/util/InterpolationHelper.java#L17).\n* Disable the EL interpolation and only use `ParameterMessageInterpolator`:\n```\nValidator validator = Validation.byDefaultProvider()\n   .configure()\n   .messageInterpolator(new ParameterMessageInterpolator())\n   .buildValidatorFactory()\n   .getValidator();\n```\n* Replace Hibernate Validator with Apache BVal, which in its latest version does not interpolate EL expressions by default. Note that this replacement may not be a simple drop-in replacement.\n\n## Example\nThe following validator could result in arbitrary Java code execution:\n\n\n```java\nimport javax.validation.ConstraintValidator;\nimport javax.validation.ConstraintValidatorContext;\nimport org.hibernate.validator.constraintvalidation.HibernateConstraintValidatorContext;\nimport java.util.regex.Matcher;\nimport java.util.regex.Pattern;\n\npublic class TestValidator implements ConstraintValidator {\n\n    public static class InterpolationHelper {\n\n        public static final char BEGIN_TERM = '{';\n        public static final char END_TERM = '}';\n        public static final char EL_DESIGNATOR = '$';\n        public static final char ESCAPE_CHARACTER = '\\\\';\n\n        private static final Pattern ESCAPE_MESSAGE_PARAMETER_PATTERN = Pattern.compile( \"([\\\\\" + ESCAPE_CHARACTER + BEGIN_TERM + END_TERM + EL_DESIGNATOR + \"])\" );\n\n        private InterpolationHelper() {\n        }\n\n        public static String escapeMessageParameter(String messageParameter) {\n            if ( messageParameter == null ) {\n                return null;\n            }\n            return ESCAPE_MESSAGE_PARAMETER_PATTERN.matcher( messageParameter ).replaceAll( Matcher.quoteReplacement( String.valueOf( ESCAPE_CHARACTER ) ) + \"$1\" );\n        }\n\n    }\n\n    @Override\n    public boolean isValid(String object, ConstraintValidatorContext constraintContext) {\n        String value = object + \" is invalid\";\n\n        // Bad: Bean properties (normally user-controlled) are passed directly to `buildConstraintViolationWithTemplate`\n        constraintContext.buildConstraintViolationWithTemplate(value).addConstraintViolation().disableDefaultConstraintViolation();\n\n        // Good: Bean properties (normally user-controlled) are escaped \n        String escaped = InterpolationHelper.escapeMessageParameter(value);\n        constraintContext.buildConstraintViolationWithTemplate(escaped).addConstraintViolation().disableDefaultConstraintViolation();\n\n        // Good: Bean properties (normally user-controlled) are parameterized\n        HibernateConstraintValidatorContext context = constraintContext.unwrap( HibernateConstraintValidatorContext.class );\n        context.addMessageParameter( \"prop\", object );\n        context.buildConstraintViolationWithTemplate( \"{prop} is invalid\").addConstraintViolation();\n        return false;\n    }\n\n}\n\n```\n\n## References\n* Hibernate Reference Guide: [ConstraintValidatorContext](https://docs.jboss.org/hibernate/stable/validator/reference/en-US/html_single/#_the_code_constraintvalidatorcontext_code).\n* GitHub Security Lab research: [Bean validation](https://securitylab.github.com/research/bean-validation-RCE).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-094",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-094/InsecureBeanValidation.ql",
+                  "precision": "high",
+                  "security-severity": "9.3"
+                }
+              },
+              {
+                "id": "java/insecure-cookie",
+                "name": "java/insecure-cookie",
+                "shortDescription": {
+                  "text": "Failure to use secure cookies"
+                },
+                "fullDescription": {
+                  "text": "Insecure cookies may be sent in cleartext, which makes them vulnerable to interception."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Failure to use secure cookies\nFailing to set the 'secure' flag on a cookie can cause it to be sent in cleartext. This makes it easier for an attacker to intercept.\n\n\n## Recommendation\nAlways use `setSecure` to set the 'secure' flag on a cookie before adding it to an `HttpServletResponse`.\n\n\n## Example\nThis example shows two ways of adding a cookie to an `HttpServletResponse`. The first way leaves out the setting of the 'secure' flag; the second way includes the setting of the flag.\n\n\n```java\npublic static void test(HttpServletRequest request, HttpServletResponse response) {\n\t{\n\t\tCookie cookie = new Cookie(\"secret\", \"fakesecret\");\n\t\t\n\t\t// BAD: 'secure' flag not set\n\t\tresponse.addCookie(cookie);\n\t}\n\n\t{\n\t\tCookie cookie = new Cookie(\"secret\", \"fakesecret\");\n\t\t\n\t\t// GOOD: set 'secure' flag\n\t\tcookie.setSecure(true);\n\t\tresponse.addCookie(cookie);\n\t}\n}\n```\n\n## References\n* SEI CERT Oracle Coding Standard for Java: [SER03-J. Do not serialize unencrypted, sensitive data](https://wiki.sei.cmu.edu/confluence/display/java/SER03-J.+Do+not+serialize+unencrypted+sensitive+data).\n* Java Platform, Enterprise Edition (Java EE) 7, API Specification: [Class Cookie](https://docs.oracle.com/javaee/7/api/javax/servlet/http/Cookie.html).\n* Common Weakness Enumeration: [CWE-614](https://cwe.mitre.org/data/definitions/614.html).\n",
+                  "markdown": "# Failure to use secure cookies\nFailing to set the 'secure' flag on a cookie can cause it to be sent in cleartext. This makes it easier for an attacker to intercept.\n\n\n## Recommendation\nAlways use `setSecure` to set the 'secure' flag on a cookie before adding it to an `HttpServletResponse`.\n\n\n## Example\nThis example shows two ways of adding a cookie to an `HttpServletResponse`. The first way leaves out the setting of the 'secure' flag; the second way includes the setting of the flag.\n\n\n```java\npublic static void test(HttpServletRequest request, HttpServletResponse response) {\n\t{\n\t\tCookie cookie = new Cookie(\"secret\", \"fakesecret\");\n\t\t\n\t\t// BAD: 'secure' flag not set\n\t\tresponse.addCookie(cookie);\n\t}\n\n\t{\n\t\tCookie cookie = new Cookie(\"secret\", \"fakesecret\");\n\t\t\n\t\t// GOOD: set 'secure' flag\n\t\tcookie.setSecure(true);\n\t\tresponse.addCookie(cookie);\n\t}\n}\n```\n\n## References\n* SEI CERT Oracle Coding Standard for Java: [SER03-J. Do not serialize unencrypted, sensitive data](https://wiki.sei.cmu.edu/confluence/display/java/SER03-J.+Do+not+serialize+unencrypted+sensitive+data).\n* Java Platform, Enterprise Edition (Java EE) 7, API Specification: [Class Cookie](https://docs.oracle.com/javaee/7/api/javax/servlet/http/Cookie.html).\n* Common Weakness Enumeration: [CWE-614](https://cwe.mitre.org/data/definitions/614.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-614",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-614/InsecureCookie.ql",
+                  "precision": "high",
+                  "security-severity": "5"
+                }
+              },
+              {
+                "id": "java/insecure-ldap-auth",
+                "name": "java/insecure-ldap-auth",
+                "shortDescription": {
+                  "text": "Insecure LDAP authentication"
+                },
+                "fullDescription": {
+                  "text": "LDAP authentication with credentials sent in cleartext makes sensitive information vulnerable to remote attackers"
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Insecure LDAP authentication\nWhen using the Java LDAP API to perform LDAPv3-style extended operations and controls, a context with connection properties including user credentials is started. Transmission of LDAP credentials in cleartext allows remote attackers to obtain sensitive information by sniffing the network.\n\n\n## Recommendation\nUse the `ldaps://` protocol to send credentials through SSL or use SASL authentication.\n\n\n## Example\nIn the following (bad) example, a `ldap://` URL is used and credentials will be sent in plaintext.\n\n\n```java\nString ldapUrl = \"ldap://ad.your-server.com:389\";\nHashtable environment = new Hashtable();\nenvironment.put(Context.INITIAL_CONTEXT_FACTORY, \"com.sun.jndi.ldap.LdapCtxFactory\");\nenvironment.put(Context.PROVIDER_URL, ldapUrl);\nenvironment.put(Context.REFERRAL, \"follow\");\nenvironment.put(Context.SECURITY_AUTHENTICATION, \"simple\");\nenvironment.put(Context.SECURITY_PRINCIPAL, ldapUserName);\nenvironment.put(Context.SECURITY_CREDENTIALS, password);\nDirContext dirContext = new InitialDirContext(environment);\n\n```\nIn the following (good) example, a `ldaps://` URL is used so credentials will be encrypted with SSL.\n\n\n```java\nString ldapUrl = \"ldaps://ad.your-server.com:636\";\nHashtable environment = new Hashtable();\nenvironment.put(Context.INITIAL_CONTEXT_FACTORY, \"com.sun.jndi.ldap.LdapCtxFactory\");\nenvironment.put(Context.PROVIDER_URL, ldapUrl);\nenvironment.put(Context.REFERRAL, \"follow\");\nenvironment.put(Context.SECURITY_AUTHENTICATION, \"simple\");\nenvironment.put(Context.SECURITY_PRINCIPAL, ldapUserName);\nenvironment.put(Context.SECURITY_CREDENTIALS, password);\nDirContext dirContext = new InitialDirContext(environment);\n\n```\nIn the following (good) example, a `ldap://` URL is used, but SASL authentication is enabled so that the credentials will be encrypted.\n\n\n```java\nString ldapUrl = \"ldap://ad.your-server.com:389\";\nHashtable environment = new Hashtable();\nenvironment.put(Context.INITIAL_CONTEXT_FACTORY, \"com.sun.jndi.ldap.LdapCtxFactory\");\nenvironment.put(Context.PROVIDER_URL, ldapUrl);\nenvironment.put(Context.REFERRAL, \"follow\");\nenvironment.put(Context.SECURITY_AUTHENTICATION, \"DIGEST-MD5 GSSAPI\");\nenvironment.put(Context.SECURITY_PRINCIPAL, ldapUserName);\nenvironment.put(Context.SECURITY_CREDENTIALS, password);\nDirContext dirContext = new InitialDirContext(environment);\n\n```\n\n## References\n* Oracle: [LDAP and LDAPS URLs](https://docs.oracle.com/javase/jndi/tutorial/ldap/misc/url.html)\n* Oracle: [Simple authentication](https://docs.oracle.com/javase/tutorial/jndi/ldap/simple.html)\n* Common Weakness Enumeration: [CWE-522](https://cwe.mitre.org/data/definitions/522.html).\n* Common Weakness Enumeration: [CWE-319](https://cwe.mitre.org/data/definitions/319.html).\n",
+                  "markdown": "# Insecure LDAP authentication\nWhen using the Java LDAP API to perform LDAPv3-style extended operations and controls, a context with connection properties including user credentials is started. Transmission of LDAP credentials in cleartext allows remote attackers to obtain sensitive information by sniffing the network.\n\n\n## Recommendation\nUse the `ldaps://` protocol to send credentials through SSL or use SASL authentication.\n\n\n## Example\nIn the following (bad) example, a `ldap://` URL is used and credentials will be sent in plaintext.\n\n\n```java\nString ldapUrl = \"ldap://ad.your-server.com:389\";\nHashtable environment = new Hashtable();\nenvironment.put(Context.INITIAL_CONTEXT_FACTORY, \"com.sun.jndi.ldap.LdapCtxFactory\");\nenvironment.put(Context.PROVIDER_URL, ldapUrl);\nenvironment.put(Context.REFERRAL, \"follow\");\nenvironment.put(Context.SECURITY_AUTHENTICATION, \"simple\");\nenvironment.put(Context.SECURITY_PRINCIPAL, ldapUserName);\nenvironment.put(Context.SECURITY_CREDENTIALS, password);\nDirContext dirContext = new InitialDirContext(environment);\n\n```\nIn the following (good) example, a `ldaps://` URL is used so credentials will be encrypted with SSL.\n\n\n```java\nString ldapUrl = \"ldaps://ad.your-server.com:636\";\nHashtable environment = new Hashtable();\nenvironment.put(Context.INITIAL_CONTEXT_FACTORY, \"com.sun.jndi.ldap.LdapCtxFactory\");\nenvironment.put(Context.PROVIDER_URL, ldapUrl);\nenvironment.put(Context.REFERRAL, \"follow\");\nenvironment.put(Context.SECURITY_AUTHENTICATION, \"simple\");\nenvironment.put(Context.SECURITY_PRINCIPAL, ldapUserName);\nenvironment.put(Context.SECURITY_CREDENTIALS, password);\nDirContext dirContext = new InitialDirContext(environment);\n\n```\nIn the following (good) example, a `ldap://` URL is used, but SASL authentication is enabled so that the credentials will be encrypted.\n\n\n```java\nString ldapUrl = \"ldap://ad.your-server.com:389\";\nHashtable environment = new Hashtable();\nenvironment.put(Context.INITIAL_CONTEXT_FACTORY, \"com.sun.jndi.ldap.LdapCtxFactory\");\nenvironment.put(Context.PROVIDER_URL, ldapUrl);\nenvironment.put(Context.REFERRAL, \"follow\");\nenvironment.put(Context.SECURITY_AUTHENTICATION, \"DIGEST-MD5 GSSAPI\");\nenvironment.put(Context.SECURITY_PRINCIPAL, ldapUserName);\nenvironment.put(Context.SECURITY_CREDENTIALS, password);\nDirContext dirContext = new InitialDirContext(environment);\n\n```\n\n## References\n* Oracle: [LDAP and LDAPS URLs](https://docs.oracle.com/javase/jndi/tutorial/ldap/misc/url.html)\n* Oracle: [Simple authentication](https://docs.oracle.com/javase/tutorial/jndi/ldap/simple.html)\n* Common Weakness Enumeration: [CWE-522](https://cwe.mitre.org/data/definitions/522.html).\n* Common Weakness Enumeration: [CWE-319](https://cwe.mitre.org/data/definitions/319.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-319",
+                    "external/cwe/cwe-522",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-522/InsecureLdapAuth.ql",
+                  "precision": "high",
+                  "security-severity": "8.8"
+                }
+              },
+              {
+                "id": "java/insecure-randomness",
+                "name": "java/insecure-randomness",
+                "shortDescription": {
+                  "text": "Insecure randomness"
+                },
+                "fullDescription": {
+                  "text": "Using a cryptographically Insecure pseudo-random number generator to generate a security-sensitive value may allow an attacker to predict what value will be generated."
+                },
+                "defaultConfiguration": {},
+                "help": {
+                  "text": "# Insecure randomness\nIf you use a cryptographically weak pseudo-random number generator to generate security-sensitive values, such as passwords, attackers can more easily predict those values.\n\nPseudo-random number generators generate a sequence of numbers that only approximates the properties of random numbers. The sequence is not truly random because it is completely determined by a relatively small set of initial values (the seed). If the random number generator is cryptographically weak, then this sequence may be easily predictable through outside observations.\n\n\n## Recommendation\nThe `java.util.Random` random number generator is not cryptographically secure. Use a secure random number generator such as `java.security.SecureRandom` instead.\n\nUse a cryptographically secure pseudo-random number generator if the output is to be used in a security-sensitive context. As a general rule, a value should be considered \"security-sensitive\" if predicting it would allow the attacker to perform an action that they would otherwise be unable to perform. For example, if an attacker could predict the random password generated for a new user, they would be able to log in as that new user.\n\n\n## Example\nThe following examples show different ways of generating a cookie with a random value.\n\nIn the first (BAD) case, we generate a fresh cookie by appending a random integer to the end of a static string. The random number generator used (`Random`) is not cryptographically secure, so it may be possible for an attacker to predict the generated cookie.\n\n\n```java\nRandom r = new Random();\n\nbyte[] bytes = new byte[16];\nr.nextBytes(bytes);\n\nString cookieValue = encode(bytes);\n\nCookie cookie = new Cookie(\"name\", cookieValue);\nresponse.addCookie(cookie);\n\n```\nIn the second (GOOD) case, we generate a fresh cookie by appending a random integer to the end of a static string. The random number generator used (`SecureRandom`) is cryptographically secure, so it is not possible for an attacker to predict the generated cookie.\n\n\n```java\nSecureRandom r = new SecureRandom();\n\nbyte[] bytes = new byte[16];\nr.nextBytes(bytes);\n\nString cookieValue = encode(bytes);\n\nCookie cookie = new Cookie(\"name\", cookieValue);\nresponse.addCookie(cookie);\n\n```\n\n## References\n* Wikipedia: [Pseudo-random number generator](http://en.wikipedia.org/wiki/Pseudorandom_number_generator).\n* Java Docs: [Random](http://docs.oracle.com/javase/8/docs/api/java/util/Random.html).\n* Java Docs: [SecureRandom](http://docs.oracle.com/javase/8/docs/api/java/security/SecureRandom.html).\n* Common Weakness Enumeration: [CWE-330](https://cwe.mitre.org/data/definitions/330.html).\n* Common Weakness Enumeration: [CWE-338](https://cwe.mitre.org/data/definitions/338.html).\n",
+                  "markdown": "# Insecure randomness\nIf you use a cryptographically weak pseudo-random number generator to generate security-sensitive values, such as passwords, attackers can more easily predict those values.\n\nPseudo-random number generators generate a sequence of numbers that only approximates the properties of random numbers. The sequence is not truly random because it is completely determined by a relatively small set of initial values (the seed). If the random number generator is cryptographically weak, then this sequence may be easily predictable through outside observations.\n\n\n## Recommendation\nThe `java.util.Random` random number generator is not cryptographically secure. Use a secure random number generator such as `java.security.SecureRandom` instead.\n\nUse a cryptographically secure pseudo-random number generator if the output is to be used in a security-sensitive context. As a general rule, a value should be considered \"security-sensitive\" if predicting it would allow the attacker to perform an action that they would otherwise be unable to perform. For example, if an attacker could predict the random password generated for a new user, they would be able to log in as that new user.\n\n\n## Example\nThe following examples show different ways of generating a cookie with a random value.\n\nIn the first (BAD) case, we generate a fresh cookie by appending a random integer to the end of a static string. The random number generator used (`Random`) is not cryptographically secure, so it may be possible for an attacker to predict the generated cookie.\n\n\n```java\nRandom r = new Random();\n\nbyte[] bytes = new byte[16];\nr.nextBytes(bytes);\n\nString cookieValue = encode(bytes);\n\nCookie cookie = new Cookie(\"name\", cookieValue);\nresponse.addCookie(cookie);\n\n```\nIn the second (GOOD) case, we generate a fresh cookie by appending a random integer to the end of a static string. The random number generator used (`SecureRandom`) is cryptographically secure, so it is not possible for an attacker to predict the generated cookie.\n\n\n```java\nSecureRandom r = new SecureRandom();\n\nbyte[] bytes = new byte[16];\nr.nextBytes(bytes);\n\nString cookieValue = encode(bytes);\n\nCookie cookie = new Cookie(\"name\", cookieValue);\nresponse.addCookie(cookie);\n\n```\n\n## References\n* Wikipedia: [Pseudo-random number generator](http://en.wikipedia.org/wiki/Pseudorandom_number_generator).\n* Java Docs: [Random](http://docs.oracle.com/javase/8/docs/api/java/util/Random.html).\n* Java Docs: [SecureRandom](http://docs.oracle.com/javase/8/docs/api/java/security/SecureRandom.html).\n* Common Weakness Enumeration: [CWE-330](https://cwe.mitre.org/data/definitions/330.html).\n* Common Weakness Enumeration: [CWE-338](https://cwe.mitre.org/data/definitions/338.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-330",
+                    "external/cwe/cwe-338",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-330/InsecureRandomness.ql",
+                  "precision": "high",
+                  "security-severity": "7.8"
+                }
+              },
+              {
+                "id": "java/insecure-trustmanager",
+                "name": "java/insecure-trustmanager",
+                "shortDescription": {
+                  "text": "`TrustManager` that accepts all certificates"
+                },
+                "fullDescription": {
+                  "text": "Trusting all certificates allows an attacker to perform a machine-in-the-middle attack."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# `TrustManager` that accepts all certificates\nIf the `checkServerTrusted` method of a `TrustManager` never throws a `CertificateException`, it trusts every certificate. This allows an attacker to perform a machine-in-the-middle attack against the application, therefore breaking any security Transport Layer Security (TLS) gives.\n\nAn attack might look like this:\n\n1. The vulnerable program connects to `https://example.com`.\n1. The attacker intercepts this connection and presents a valid, self-signed certificate for `https://example.com`.\n1. The vulnerable program calls the `checkServerTrusted` method to check whether it should trust the certificate.\n1. The `checkServerTrusted` method of your `TrustManager` does not throw a `CertificateException`.\n1. The vulnerable program accepts the certificate and proceeds with the connection since your `TrustManager` implicitly trusted it by not throwing an exception.\n1. The attacker can now read the data your program sends to `https://example.com` and/or alter its replies while the program thinks the connection is secure.\n\n## Recommendation\nDo not use a custom `TrustManager` that trusts any certificate. If you have to use a self-signed certificate, don't trust every certificate, but instead only trust this specific certificate. See below for an example of how to do this.\n\n\n## Example\nIn the first (bad) example, the `TrustManager` never throws a `CertificateException` and therefore implicitly trusts any certificate. This allows an attacker to perform a machine-in-the-middle attack. In the second (good) example, the self-signed certificate that should be trusted is loaded into a `KeyStore`. This explicitly defines the certificate as trusted and there is no need to create a custom `TrustManager`.\n\n\n```java\npublic static void main(String[] args) throws Exception {\n    {\n        class InsecureTrustManager implements X509TrustManager {\n            @Override\n            public X509Certificate[] getAcceptedIssuers() {\n                return null;\n            }\n\n            @Override\n            public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {\n                // BAD: Does not verify the certificate chain, allowing any certificate.\n            }\n\n            @Override\n            public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {\n\n            }\n        }\n        SSLContext context = SSLContext.getInstance(\"TLS\");\n        TrustManager[] trustManager = new TrustManager[] { new InsecureTrustManager() };\n        context.init(null, trustManager, null);\n    }\n    {\n        SSLContext context = SSLContext.getInstance(\"TLS\");\n        File certificateFile = new File(\"path/to/self-signed-certificate\");\n        // Create a `KeyStore` with default type\n        KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());\n        // `keyStore` is initially empty\n        keyStore.load(null, null);\n        X509Certificate generatedCertificate;\n        try (InputStream cert = new FileInputStream(certificateFile)) {\n            generatedCertificate = (X509Certificate) CertificateFactory.getInstance(\"X509\")\n                    .generateCertificate(cert);\n        }\n        // Add the self-signed certificate to the key store\n        keyStore.setCertificateEntry(certificateFile.getName(), generatedCertificate);\n        // Get default `TrustManagerFactory`\n        TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());\n        // Use it with our key store that trusts our self-signed certificate\n        tmf.init(keyStore);\n        TrustManager[] trustManagers = tmf.getTrustManagers();\n        context.init(null, trustManagers, null);\n        // GOOD, we are not using a custom `TrustManager` but instead have\n        // added the self-signed certificate we want to trust to the key\n        // store. Note, the `trustManagers` will **only** trust this one\n        // certificate.\n        \n        URL url = new URL(\"https://self-signed.badssl.com/\");\n        HttpsURLConnection conn = (HttpsURLConnection) url.openConnection();\n        conn.setSSLSocketFactory(context.getSocketFactory());\n    }\n}\n\n```\n\n## References\n* Android Developers: [Security with HTTPS and SSL](https://developer.android.com/training/articles/security-ssl).\n* Common Weakness Enumeration: [CWE-295](https://cwe.mitre.org/data/definitions/295.html).\n",
+                  "markdown": "# `TrustManager` that accepts all certificates\nIf the `checkServerTrusted` method of a `TrustManager` never throws a `CertificateException`, it trusts every certificate. This allows an attacker to perform a machine-in-the-middle attack against the application, therefore breaking any security Transport Layer Security (TLS) gives.\n\nAn attack might look like this:\n\n1. The vulnerable program connects to `https://example.com`.\n1. The attacker intercepts this connection and presents a valid, self-signed certificate for `https://example.com`.\n1. The vulnerable program calls the `checkServerTrusted` method to check whether it should trust the certificate.\n1. The `checkServerTrusted` method of your `TrustManager` does not throw a `CertificateException`.\n1. The vulnerable program accepts the certificate and proceeds with the connection since your `TrustManager` implicitly trusted it by not throwing an exception.\n1. The attacker can now read the data your program sends to `https://example.com` and/or alter its replies while the program thinks the connection is secure.\n\n## Recommendation\nDo not use a custom `TrustManager` that trusts any certificate. If you have to use a self-signed certificate, don't trust every certificate, but instead only trust this specific certificate. See below for an example of how to do this.\n\n\n## Example\nIn the first (bad) example, the `TrustManager` never throws a `CertificateException` and therefore implicitly trusts any certificate. This allows an attacker to perform a machine-in-the-middle attack. In the second (good) example, the self-signed certificate that should be trusted is loaded into a `KeyStore`. This explicitly defines the certificate as trusted and there is no need to create a custom `TrustManager`.\n\n\n```java\npublic static void main(String[] args) throws Exception {\n    {\n        class InsecureTrustManager implements X509TrustManager {\n            @Override\n            public X509Certificate[] getAcceptedIssuers() {\n                return null;\n            }\n\n            @Override\n            public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {\n                // BAD: Does not verify the certificate chain, allowing any certificate.\n            }\n\n            @Override\n            public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {\n\n            }\n        }\n        SSLContext context = SSLContext.getInstance(\"TLS\");\n        TrustManager[] trustManager = new TrustManager[] { new InsecureTrustManager() };\n        context.init(null, trustManager, null);\n    }\n    {\n        SSLContext context = SSLContext.getInstance(\"TLS\");\n        File certificateFile = new File(\"path/to/self-signed-certificate\");\n        // Create a `KeyStore` with default type\n        KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());\n        // `keyStore` is initially empty\n        keyStore.load(null, null);\n        X509Certificate generatedCertificate;\n        try (InputStream cert = new FileInputStream(certificateFile)) {\n            generatedCertificate = (X509Certificate) CertificateFactory.getInstance(\"X509\")\n                    .generateCertificate(cert);\n        }\n        // Add the self-signed certificate to the key store\n        keyStore.setCertificateEntry(certificateFile.getName(), generatedCertificate);\n        // Get default `TrustManagerFactory`\n        TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());\n        // Use it with our key store that trusts our self-signed certificate\n        tmf.init(keyStore);\n        TrustManager[] trustManagers = tmf.getTrustManagers();\n        context.init(null, trustManagers, null);\n        // GOOD, we are not using a custom `TrustManager` but instead have\n        // added the self-signed certificate we want to trust to the key\n        // store. Note, the `trustManagers` will **only** trust this one\n        // certificate.\n        \n        URL url = new URL(\"https://self-signed.badssl.com/\");\n        HttpsURLConnection conn = (HttpsURLConnection) url.openConnection();\n        conn.setSSLSocketFactory(context.getSocketFactory());\n    }\n}\n\n```\n\n## References\n* Android Developers: [Security with HTTPS and SSL](https://developer.android.com/training/articles/security-ssl).\n* Common Weakness Enumeration: [CWE-295](https://cwe.mitre.org/data/definitions/295.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-295",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-295/InsecureTrustManager.ql",
+                  "precision": "high",
+                  "security-severity": "7.5"
+                }
+              },
+              {
+                "id": "java/insufficient-key-size",
+                "name": "java/insufficient-key-size",
+                "shortDescription": {
+                  "text": "Use of a cryptographic algorithm with insufficient key size"
+                },
+                "fullDescription": {
+                  "text": "Using cryptographic algorithms with too small a key size can allow an attacker to compromise security."
+                },
+                "defaultConfiguration": {},
+                "help": {
+                  "text": "# Use of a cryptographic algorithm with insufficient key size\nModern encryption relies on the computational infeasibility of breaking a cipher and decoding its message without the key. As computational power increases, the ability to break ciphers grows, and key sizes need to become larger as a result. Cryptographic algorithms that use too small of a key size are vulnerable to brute force attacks, which can reveal sensitive data.\n\n\n## Recommendation\nUse a key of the recommended size or larger. The key size should be at least 128 bits for AES encryption, 256 bits for elliptic-curve cryptography (ECC), and 2048 bits for RSA, DSA, or DH encryption.\n\n\n## Example\nThe following code uses cryptographic algorithms with insufficient key sizes.\n\n\n```java\n    KeyPairGenerator keyPairGen1 = KeyPairGenerator.getInstance(\"RSA\");\n    keyPairGen1.initialize(1024); // BAD: Key size is less than 2048\n\n    KeyPairGenerator keyPairGen2 = KeyPairGenerator.getInstance(\"DSA\");\n    keyPairGen2.initialize(1024); // BAD: Key size is less than 2048\n\n    KeyPairGenerator keyPairGen3 = KeyPairGenerator.getInstance(\"DH\");\n    keyPairGen3.initialize(1024); // BAD: Key size is less than 2048\n\n    KeyPairGenerator keyPairGen4 = KeyPairGenerator.getInstance(\"EC\");\n    ECGenParameterSpec ecSpec = new ECGenParameterSpec(\"secp112r1\"); // BAD: Key size is less than 256\n    keyPairGen4.initialize(ecSpec);\n\n    KeyGenerator keyGen = KeyGenerator.getInstance(\"AES\");\n    keyGen.init(64); // BAD: Key size is less than 128\n\n```\nTo fix the code, change the key sizes to be the recommended size or larger for each algorithm.\n\n\n## References\n* Wikipedia: [Key size](http://en.wikipedia.org/wiki/Key_size).\n* Wikipedia: [Strong cryptography](https://en.wikipedia.org/wiki/Strong_cryptography).\n* OWASP: [ Cryptographic Storage Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms).\n* OWASP: [ Testing for Weak Encryption](https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption).\n* NIST: [ Transitioning the Use of Cryptographic Algorithms and Key Lengths](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf).\n* Common Weakness Enumeration: [CWE-326](https://cwe.mitre.org/data/definitions/326.html).\n",
+                  "markdown": "# Use of a cryptographic algorithm with insufficient key size\nModern encryption relies on the computational infeasibility of breaking a cipher and decoding its message without the key. As computational power increases, the ability to break ciphers grows, and key sizes need to become larger as a result. Cryptographic algorithms that use too small of a key size are vulnerable to brute force attacks, which can reveal sensitive data.\n\n\n## Recommendation\nUse a key of the recommended size or larger. The key size should be at least 128 bits for AES encryption, 256 bits for elliptic-curve cryptography (ECC), and 2048 bits for RSA, DSA, or DH encryption.\n\n\n## Example\nThe following code uses cryptographic algorithms with insufficient key sizes.\n\n\n```java\n    KeyPairGenerator keyPairGen1 = KeyPairGenerator.getInstance(\"RSA\");\n    keyPairGen1.initialize(1024); // BAD: Key size is less than 2048\n\n    KeyPairGenerator keyPairGen2 = KeyPairGenerator.getInstance(\"DSA\");\n    keyPairGen2.initialize(1024); // BAD: Key size is less than 2048\n\n    KeyPairGenerator keyPairGen3 = KeyPairGenerator.getInstance(\"DH\");\n    keyPairGen3.initialize(1024); // BAD: Key size is less than 2048\n\n    KeyPairGenerator keyPairGen4 = KeyPairGenerator.getInstance(\"EC\");\n    ECGenParameterSpec ecSpec = new ECGenParameterSpec(\"secp112r1\"); // BAD: Key size is less than 256\n    keyPairGen4.initialize(ecSpec);\n\n    KeyGenerator keyGen = KeyGenerator.getInstance(\"AES\");\n    keyGen.init(64); // BAD: Key size is less than 128\n\n```\nTo fix the code, change the key sizes to be the recommended size or larger for each algorithm.\n\n\n## References\n* Wikipedia: [Key size](http://en.wikipedia.org/wiki/Key_size).\n* Wikipedia: [Strong cryptography](https://en.wikipedia.org/wiki/Strong_cryptography).\n* OWASP: [ Cryptographic Storage Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms).\n* OWASP: [ Testing for Weak Encryption](https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption).\n* NIST: [ Transitioning the Use of Cryptographic Algorithms and Key Lengths](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf).\n* Common Weakness Enumeration: [CWE-326](https://cwe.mitre.org/data/definitions/326.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-326",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-326/InsufficientKeySize.ql",
+                  "precision": "high",
+                  "security-severity": "7.5"
+                }
+              },
+              {
+                "id": "java/jexl-expression-injection",
+                "name": "java/jexl-expression-injection",
+                "shortDescription": {
+                  "text": "Expression language injection (JEXL)"
+                },
+                "fullDescription": {
+                  "text": "Evaluation of a user-controlled JEXL expression may lead to arbitrary code execution."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Expression language injection (JEXL)\nJava EXpression Language (JEXL) is a simple expression language provided by the Apache Commons JEXL library. The syntax is close to a mix of ECMAScript and shell-script. The language allows invocation of methods available in the JVM. If a JEXL expression is built using attacker-controlled data, and then evaluated, then it may allow the attacker to run arbitrary code.\n\n\n## Recommendation\nIt is generally recommended to avoid using untrusted input in a JEXL expression. If it is not possible, JEXL expressions should be run in a sandbox that allows accessing only explicitly allowed classes.\n\n\n## Example\nThe following example uses untrusted data to build and run a JEXL expression.\n\n\n```java\npublic void evaluate(Socket socket) throws IOException {\n  try (BufferedReader reader = new BufferedReader(\n        new InputStreamReader(socket.getInputStream()))) {\n    \n    String input = reader.readLine();\n    JexlEngine jexl = new JexlBuilder().create();\n    JexlExpression expression = jexl.createExpression(input);\n    JexlContext context = new MapContext();\n    expression.evaluate(context);\n  }\n}\n```\nThe next example shows how an untrusted JEXL expression can be run in a sandbox that allows accessing only methods in the `java.lang.Math` class. The sandbox is implemented using `JexlSandbox` class that is provided by Apache Commons JEXL 3.\n\n\n```java\npublic void evaluate(Socket socket) throws IOException {\n  try (BufferedReader reader = new BufferedReader(\n        new InputStreamReader(socket.getInputStream()))) {\n    \n    JexlSandbox onlyMath = new JexlSandbox(false);\n    onlyMath.white(\"java.lang.Math\");\n    JexlEngine jexl = new JexlBuilder().sandbox(onlyMath).create();\n      \n    String input = reader.readLine();\n    JexlExpression expression = jexl.createExpression(input);\n    JexlContext context = new MapContext();\n    expression.evaluate(context);\n  }\n}\n```\nThe next example shows another way how a sandbox can be implemented. It uses a custom implementation of `JexlUberspect` that checks if callees are instances of allowed classes.\n\n\n```java\npublic void evaluate(Socket socket) throws IOException {\n  try (BufferedReader reader = new BufferedReader(\n        new InputStreamReader(socket.getInputStream()))) {\n    \n    JexlUberspect sandbox = new JexlUberspectSandbox();\n    JexlEngine jexl = new JexlBuilder().uberspect(sandbox).create();\n      \n    String input = reader.readLine();\n    JexlExpression expression = jexl.createExpression(input);\n    JexlContext context = new MapContext();\n    expression.evaluate(context);\n  }\n\n  private static class JexlUberspectSandbox implements JexlUberspect {\n\n    private static final List ALLOWED_CLASSES =\n              Arrays.asList(\"java.lang.Math\", \"java.util.Random\");\n\n    private final JexlUberspect uberspect = new JexlBuilder().create().getUberspect();\n\n    private void checkAccess(Object obj) {\n      if (!ALLOWED_CLASSES.contains(obj.getClass().getCanonicalName())) {\n        throw new AccessControlException(\"Not allowed\");\n      }\n    }\n\n    @Override\n    public JexlMethod getMethod(Object obj, String method, Object... args) {\n      checkAccess(obj);\n      return uberspect.getMethod(obj, method, args);\n    }\n\n    @Override\n    public List getResolvers(JexlOperator op, Object obj) {\n      checkAccess(obj);\n      return uberspect.getResolvers(op, obj);\n    }\n\n    @Override\n    public void setClassLoader(ClassLoader loader) {\n      uberspect.setClassLoader(loader);\n    }\n\n    @Override\n    public int getVersion() {\n      return uberspect.getVersion();\n    }\n\n    @Override\n    public JexlMethod getConstructor(Object obj, Object... args) {\n      checkAccess(obj);\n      return uberspect.getConstructor(obj, args);\n    }\n\n    @Override\n    public JexlPropertyGet getPropertyGet(Object obj, Object identifier) {\n      checkAccess(obj);\n      return uberspect.getPropertyGet(obj, identifier);\n    }\n\n    @Override\n    public JexlPropertyGet getPropertyGet(List resolvers, Object obj, Object identifier) {\n      checkAccess(obj);\n      return uberspect.getPropertyGet(resolvers, obj, identifier);\n    }\n\n    @Override\n    public JexlPropertySet getPropertySet(Object obj, Object identifier, Object arg) {\n      checkAccess(obj);\n      return uberspect.getPropertySet(obj, identifier, arg);\n    }\n\n    @Override\n    public JexlPropertySet getPropertySet(List resolvers, Object obj, Object identifier, Object arg) {\n      checkAccess(obj);\n      return uberspect.getPropertySet(resolvers, obj, identifier, arg);\n    }\n\n    @Override\n    public Iterator getIterator(Object obj) {\n      checkAccess(obj);\n      return uberspect.getIterator(obj);\n    }\n\n    @Override\n    public JexlArithmetic.Uberspect getArithmetic(JexlArithmetic arithmetic) {\n      return uberspect.getArithmetic(arithmetic);\n    } \n  }\n}\n```\n\n## References\n* Apache Commons JEXL: [Project page](https://commons.apache.org/proper/commons-jexl/).\n* Apache Commons JEXL documentation: [JEXL 2.1.1 API](https://commons.apache.org/proper/commons-jexl/javadocs/apidocs-2.1.1/).\n* Apache Commons JEXL documentation: [JEXL 3.1 API](https://commons.apache.org/proper/commons-jexl/apidocs/index.html).\n* OWASP: [Expression Language Injection](https://owasp.org/www-community/vulnerabilities/Expression_Language_Injection).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n",
+                  "markdown": "# Expression language injection (JEXL)\nJava EXpression Language (JEXL) is a simple expression language provided by the Apache Commons JEXL library. The syntax is close to a mix of ECMAScript and shell-script. The language allows invocation of methods available in the JVM. If a JEXL expression is built using attacker-controlled data, and then evaluated, then it may allow the attacker to run arbitrary code.\n\n\n## Recommendation\nIt is generally recommended to avoid using untrusted input in a JEXL expression. If it is not possible, JEXL expressions should be run in a sandbox that allows accessing only explicitly allowed classes.\n\n\n## Example\nThe following example uses untrusted data to build and run a JEXL expression.\n\n\n```java\npublic void evaluate(Socket socket) throws IOException {\n  try (BufferedReader reader = new BufferedReader(\n        new InputStreamReader(socket.getInputStream()))) {\n    \n    String input = reader.readLine();\n    JexlEngine jexl = new JexlBuilder().create();\n    JexlExpression expression = jexl.createExpression(input);\n    JexlContext context = new MapContext();\n    expression.evaluate(context);\n  }\n}\n```\nThe next example shows how an untrusted JEXL expression can be run in a sandbox that allows accessing only methods in the `java.lang.Math` class. The sandbox is implemented using `JexlSandbox` class that is provided by Apache Commons JEXL 3.\n\n\n```java\npublic void evaluate(Socket socket) throws IOException {\n  try (BufferedReader reader = new BufferedReader(\n        new InputStreamReader(socket.getInputStream()))) {\n    \n    JexlSandbox onlyMath = new JexlSandbox(false);\n    onlyMath.white(\"java.lang.Math\");\n    JexlEngine jexl = new JexlBuilder().sandbox(onlyMath).create();\n      \n    String input = reader.readLine();\n    JexlExpression expression = jexl.createExpression(input);\n    JexlContext context = new MapContext();\n    expression.evaluate(context);\n  }\n}\n```\nThe next example shows another way how a sandbox can be implemented. It uses a custom implementation of `JexlUberspect` that checks if callees are instances of allowed classes.\n\n\n```java\npublic void evaluate(Socket socket) throws IOException {\n  try (BufferedReader reader = new BufferedReader(\n        new InputStreamReader(socket.getInputStream()))) {\n    \n    JexlUberspect sandbox = new JexlUberspectSandbox();\n    JexlEngine jexl = new JexlBuilder().uberspect(sandbox).create();\n      \n    String input = reader.readLine();\n    JexlExpression expression = jexl.createExpression(input);\n    JexlContext context = new MapContext();\n    expression.evaluate(context);\n  }\n\n  private static class JexlUberspectSandbox implements JexlUberspect {\n\n    private static final List ALLOWED_CLASSES =\n              Arrays.asList(\"java.lang.Math\", \"java.util.Random\");\n\n    private final JexlUberspect uberspect = new JexlBuilder().create().getUberspect();\n\n    private void checkAccess(Object obj) {\n      if (!ALLOWED_CLASSES.contains(obj.getClass().getCanonicalName())) {\n        throw new AccessControlException(\"Not allowed\");\n      }\n    }\n\n    @Override\n    public JexlMethod getMethod(Object obj, String method, Object... args) {\n      checkAccess(obj);\n      return uberspect.getMethod(obj, method, args);\n    }\n\n    @Override\n    public List getResolvers(JexlOperator op, Object obj) {\n      checkAccess(obj);\n      return uberspect.getResolvers(op, obj);\n    }\n\n    @Override\n    public void setClassLoader(ClassLoader loader) {\n      uberspect.setClassLoader(loader);\n    }\n\n    @Override\n    public int getVersion() {\n      return uberspect.getVersion();\n    }\n\n    @Override\n    public JexlMethod getConstructor(Object obj, Object... args) {\n      checkAccess(obj);\n      return uberspect.getConstructor(obj, args);\n    }\n\n    @Override\n    public JexlPropertyGet getPropertyGet(Object obj, Object identifier) {\n      checkAccess(obj);\n      return uberspect.getPropertyGet(obj, identifier);\n    }\n\n    @Override\n    public JexlPropertyGet getPropertyGet(List resolvers, Object obj, Object identifier) {\n      checkAccess(obj);\n      return uberspect.getPropertyGet(resolvers, obj, identifier);\n    }\n\n    @Override\n    public JexlPropertySet getPropertySet(Object obj, Object identifier, Object arg) {\n      checkAccess(obj);\n      return uberspect.getPropertySet(obj, identifier, arg);\n    }\n\n    @Override\n    public JexlPropertySet getPropertySet(List resolvers, Object obj, Object identifier, Object arg) {\n      checkAccess(obj);\n      return uberspect.getPropertySet(resolvers, obj, identifier, arg);\n    }\n\n    @Override\n    public Iterator getIterator(Object obj) {\n      checkAccess(obj);\n      return uberspect.getIterator(obj);\n    }\n\n    @Override\n    public JexlArithmetic.Uberspect getArithmetic(JexlArithmetic arithmetic) {\n      return uberspect.getArithmetic(arithmetic);\n    } \n  }\n}\n```\n\n## References\n* Apache Commons JEXL: [Project page](https://commons.apache.org/proper/commons-jexl/).\n* Apache Commons JEXL documentation: [JEXL 2.1.1 API](https://commons.apache.org/proper/commons-jexl/javadocs/apidocs-2.1.1/).\n* Apache Commons JEXL documentation: [JEXL 3.1 API](https://commons.apache.org/proper/commons-jexl/apidocs/index.html).\n* OWASP: [Expression Language Injection](https://owasp.org/www-community/vulnerabilities/Expression_Language_Injection).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-094",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-094/JexlInjection.ql",
+                  "precision": "high",
+                  "security-severity": "9.3"
+                }
+              },
+              {
+                "id": "java/jhipster-prng",
+                "name": "java/jhipster-prng",
+                "shortDescription": {
+                  "text": "Detect JHipster Generator Vulnerability CVE-2019-16303"
+                },
+                "fullDescription": {
+                  "text": "Using a vulnerable version of JHipster to generate random numbers makes it easier for attackers to take over accounts."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Detect JHipster Generator Vulnerability CVE-2019-16303\nThis query detects instances of `RandomUtil.java` that were generated by a [JHipster](https://www.jhipster.tech/) version that is vulnerable to [CVE-2019-16303](https://github.com/jhipster/jhipster-kotlin/security/advisories/GHSA-j3rh-8vwq-wh84).\n\nIf an app uses `RandomUtil.java` generated by a vulnerable version of JHipster, attackers can request a password reset token and use this to predict the value of future reset tokens generated by this server. Using this information, they can create a reset link that allows them to take over any account.\n\nThis vulnerability has a [ CVSS v3.0 Base Score of 9.8/10 ](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2019-16303&vector=AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H&version=3.1&source=NIST).\n\n\n## Example\nThe example below shows the vulnerable `RandomUtil` class generated by [JHipster prior to version 6.3.0](https://www.jhipster.tech/2019/09/13/jhipster-release-6.3.0.html).\n\n\n```java\nimport org.apache.commons.lang3.RandomStringUtils;\n\n/**\n * Utility class for generating random Strings.\n */\npublic final class RandomUtil {\n\n    private static final int DEF_COUNT = 20;\n\n    private RandomUtil() {\n    }\n\n    /**\n     * Generate a password.\n     *\n     * @return the generated password.\n     */\n    public static String generatePassword() {\n        return RandomStringUtils.randomAlphanumeric(DEF_COUNT); // BAD: RandomStringUtils does not use SecureRandom\n    }\n\n    /**\n     * Generate an activation key.\n     *\n     * @return the generated activation key.\n     */\n    public static String generateActivationKey() {\n        return RandomStringUtils.randomNumeric(DEF_COUNT); // BAD: RandomStringUtils does not use SecureRandom\n    }\n\n    /**\n     * Generate a reset key.\n     *\n     * @return the generated reset key.\n     */\n    public static String generateResetKey() {\n        return RandomStringUtils.randomNumeric(DEF_COUNT); // BAD: RandomStringUtils does not use SecureRandom\n    }\n\n    /**\n     * Generate a unique series to validate a persistent token, used in the\n     * authentication remember-me mechanism.\n     *\n     * @return the generated series data.\n     */\n    public static String generateSeriesData() {\n        return RandomStringUtils.randomAlphanumeric(DEF_COUNT); // BAD: RandomStringUtils does not use SecureRandom\n    }\n\n    /**\n     * Generate a persistent token, used in the authentication remember-me mechanism.\n     *\n     * @return the generated token data.\n     */\n    public static String generateTokenData() {\n        return RandomStringUtils.randomAlphanumeric(DEF_COUNT); // BAD: RandomStringUtils does not use SecureRandom\n    }\n}\n\n```\nBelow is a fixed version of the `RandomUtil` class.\n\n\n```java\nimport org.apache.commons.lang3.RandomStringUtils;\n\nimport java.security.SecureRandom;\n\n/**\n * Utility class for generating random Strings.\n */\npublic final class RandomUtil {\n    private static final SecureRandom SECURE_RANDOM = new SecureRandom(); // GOOD: Using SecureRandom\n\n    private static final int DEF_COUNT = 20;\n\n    static {\n        SECURE_RANDOM.nextBytes(new byte[64]);\n    }\n\n    private RandomUtil() {\n    }\n\n    private static String generateRandomAlphanumericString() {\n        // GOOD: Passing Secure Random to RandomStringUtils::random\n        return RandomStringUtils.random(DEF_COUNT, 0, 0, true, true, null, SECURE_RANDOM);\n    }\n\n    /**\n     * Generate a password.\n     *\n     * @return the generated password.\n     */\n    public static String generatePassword() {\n        return generateRandomAlphanumericString();\n    }\n\n    /**\n     * Generate an activation key.\n     *\n     * @return the generated activation key.\n     */\n    public static String generateActivationKey() {\n        return generateRandomAlphanumericString();\n    }\n\n    /**\n     * Generate a reset key.\n     *\n     * @return the generated reset key.\n     */\n    public static String generateResetKey() {\n        return generateRandomAlphanumericString();\n    }\n\n    /**\n     * Generate a unique series to validate a persistent token, used in the\n     * authentication remember-me mechanism.\n     *\n     * @return the generated series data.\n     */\n    public static String generateSeriesData() {\n        return generateRandomAlphanumericString();\n    }\n\n    /**\n     * Generate a persistent token, used in the authentication remember-me mechanism.\n     *\n     * @return the generated token data.\n     */\n    public static String generateTokenData() {\n        return generateRandomAlphanumericString();\n    }\n}\n\n```\n\n## Recommendation\nYou should refactor the `RandomUtil` class and replace every call to `RandomStringUtils.randomAlphaNumeric`. You could regenerate the class using the latest version of JHipster, or use an automated refactoring. For example, using the [Patching JHipster CWE-338](https://github.com/moderneinc/jhipster-cwe-338) for the [Rewrite project](https://github.com/openrewrite/rewrite).\n\n\n## References\n* Cloudflare Blog: [ Why secure systems require random numbers ](https://blog.cloudflare.com/why-randomness-matters/)\n* Hacker News: [ How I Hacked Hacker News (with arc security advisory) ](https://news.ycombinator.com/item?id=639976)\n* Posts by Pucara Information Security Team: [ The Java Soothsayer: A practical application for insecure randomness. (Includes free 0day) ](https://blog.pucarasec.com/2020/05/09/the-java-soothsayer-a-practical-application-for-insecure-randomness-includes-free-0day/)\n* Common Weakness Enumeration: [CWE-338](https://cwe.mitre.org/data/definitions/338.html).\n",
+                  "markdown": "# Detect JHipster Generator Vulnerability CVE-2019-16303\nThis query detects instances of `RandomUtil.java` that were generated by a [JHipster](https://www.jhipster.tech/) version that is vulnerable to [CVE-2019-16303](https://github.com/jhipster/jhipster-kotlin/security/advisories/GHSA-j3rh-8vwq-wh84).\n\nIf an app uses `RandomUtil.java` generated by a vulnerable version of JHipster, attackers can request a password reset token and use this to predict the value of future reset tokens generated by this server. Using this information, they can create a reset link that allows them to take over any account.\n\nThis vulnerability has a [ CVSS v3.0 Base Score of 9.8/10 ](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2019-16303&vector=AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H&version=3.1&source=NIST).\n\n\n## Example\nThe example below shows the vulnerable `RandomUtil` class generated by [JHipster prior to version 6.3.0](https://www.jhipster.tech/2019/09/13/jhipster-release-6.3.0.html).\n\n\n```java\nimport org.apache.commons.lang3.RandomStringUtils;\n\n/**\n * Utility class for generating random Strings.\n */\npublic final class RandomUtil {\n\n    private static final int DEF_COUNT = 20;\n\n    private RandomUtil() {\n    }\n\n    /**\n     * Generate a password.\n     *\n     * @return the generated password.\n     */\n    public static String generatePassword() {\n        return RandomStringUtils.randomAlphanumeric(DEF_COUNT); // BAD: RandomStringUtils does not use SecureRandom\n    }\n\n    /**\n     * Generate an activation key.\n     *\n     * @return the generated activation key.\n     */\n    public static String generateActivationKey() {\n        return RandomStringUtils.randomNumeric(DEF_COUNT); // BAD: RandomStringUtils does not use SecureRandom\n    }\n\n    /**\n     * Generate a reset key.\n     *\n     * @return the generated reset key.\n     */\n    public static String generateResetKey() {\n        return RandomStringUtils.randomNumeric(DEF_COUNT); // BAD: RandomStringUtils does not use SecureRandom\n    }\n\n    /**\n     * Generate a unique series to validate a persistent token, used in the\n     * authentication remember-me mechanism.\n     *\n     * @return the generated series data.\n     */\n    public static String generateSeriesData() {\n        return RandomStringUtils.randomAlphanumeric(DEF_COUNT); // BAD: RandomStringUtils does not use SecureRandom\n    }\n\n    /**\n     * Generate a persistent token, used in the authentication remember-me mechanism.\n     *\n     * @return the generated token data.\n     */\n    public static String generateTokenData() {\n        return RandomStringUtils.randomAlphanumeric(DEF_COUNT); // BAD: RandomStringUtils does not use SecureRandom\n    }\n}\n\n```\nBelow is a fixed version of the `RandomUtil` class.\n\n\n```java\nimport org.apache.commons.lang3.RandomStringUtils;\n\nimport java.security.SecureRandom;\n\n/**\n * Utility class for generating random Strings.\n */\npublic final class RandomUtil {\n    private static final SecureRandom SECURE_RANDOM = new SecureRandom(); // GOOD: Using SecureRandom\n\n    private static final int DEF_COUNT = 20;\n\n    static {\n        SECURE_RANDOM.nextBytes(new byte[64]);\n    }\n\n    private RandomUtil() {\n    }\n\n    private static String generateRandomAlphanumericString() {\n        // GOOD: Passing Secure Random to RandomStringUtils::random\n        return RandomStringUtils.random(DEF_COUNT, 0, 0, true, true, null, SECURE_RANDOM);\n    }\n\n    /**\n     * Generate a password.\n     *\n     * @return the generated password.\n     */\n    public static String generatePassword() {\n        return generateRandomAlphanumericString();\n    }\n\n    /**\n     * Generate an activation key.\n     *\n     * @return the generated activation key.\n     */\n    public static String generateActivationKey() {\n        return generateRandomAlphanumericString();\n    }\n\n    /**\n     * Generate a reset key.\n     *\n     * @return the generated reset key.\n     */\n    public static String generateResetKey() {\n        return generateRandomAlphanumericString();\n    }\n\n    /**\n     * Generate a unique series to validate a persistent token, used in the\n     * authentication remember-me mechanism.\n     *\n     * @return the generated series data.\n     */\n    public static String generateSeriesData() {\n        return generateRandomAlphanumericString();\n    }\n\n    /**\n     * Generate a persistent token, used in the authentication remember-me mechanism.\n     *\n     * @return the generated token data.\n     */\n    public static String generateTokenData() {\n        return generateRandomAlphanumericString();\n    }\n}\n\n```\n\n## Recommendation\nYou should refactor the `RandomUtil` class and replace every call to `RandomStringUtils.randomAlphaNumeric`. You could regenerate the class using the latest version of JHipster, or use an automated refactoring. For example, using the [Patching JHipster CWE-338](https://github.com/moderneinc/jhipster-cwe-338) for the [Rewrite project](https://github.com/openrewrite/rewrite).\n\n\n## References\n* Cloudflare Blog: [ Why secure systems require random numbers ](https://blog.cloudflare.com/why-randomness-matters/)\n* Hacker News: [ How I Hacked Hacker News (with arc security advisory) ](https://news.ycombinator.com/item?id=639976)\n* Posts by Pucara Information Security Team: [ The Java Soothsayer: A practical application for insecure randomness. (Includes free 0day) ](https://blog.pucarasec.com/2020/05/09/the-java-soothsayer-a-practical-application-for-insecure-randomness-includes-free-0day/)\n* Common Weakness Enumeration: [CWE-338](https://cwe.mitre.org/data/definitions/338.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-338",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-338/JHipsterGeneratedPRNG.ql",
+                  "precision": "very-high",
+                  "security-severity": "7.8"
+                }
+              },
+              {
+                "id": "java/jndi-injection",
+                "name": "java/jndi-injection",
+                "shortDescription": {
+                  "text": "JNDI lookup with user-controlled name"
+                },
+                "fullDescription": {
+                  "text": "Performing a JNDI lookup with a user-controlled name can lead to the download of an untrusted object and to execution of arbitrary code."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# JNDI lookup with user-controlled name\nThe Java Naming and Directory Interface (JNDI) is a Java API for a directory service that allows Java software clients to discover and look up data and resources (in the form of Java objects) via a name. If the name being used to look up the data is controlled by the user, it can point to a malicious server, which can return an arbitrary object. In the worst case, this can allow remote code execution.\n\n\n## Recommendation\nThe general recommendation is to avoid passing untrusted data to the `InitialContext.lookup ` method. If the name being used to look up the object must be provided by the user, make sure that it's not in the form of an absolute URL or that it's the URL pointing to a trusted server.\n\n\n## Example\nIn the following examples, the code accepts a name from the user, which it uses to look up an object.\n\nIn the first example, the user provided name is used to look up an object.\n\nThe second example validates the name before using it to look up an object.\n\n\n```java\nimport javax.naming.Context;\nimport javax.naming.InitialContext;\n\npublic void jndiLookup(HttpServletRequest request) throws NamingException {\n  String name = request.getParameter(\"name\");\n\n  Hashtable env = new Hashtable();\n  env.put(Context.INITIAL_CONTEXT_FACTORY, \"com.sun.jndi.rmi.registry.RegistryContextFactory\");\n  env.put(Context.PROVIDER_URL, \"rmi://trusted-server:1099\");\n  InitialContext ctx = new InitialContext(env);\n\n  // BAD: User input used in lookup\n  ctx.lookup(name);\n\n  // GOOD: The name is validated before being used in lookup\n  if (isValid(name)) {\n    ctx.lookup(name);\n  } else {\n    // Reject the request\n  }\n}\n```\n\n## References\n* Oracle: [Java Naming and Directory Interface (JNDI)](https://docs.oracle.com/javase/8/docs/technotes/guides/jndi/).\n* Black Hat materials: [A Journey from JNDI/LDAP Manipulation to Remote Code Execution Dream Land](https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE-wp.pdf).\n* Veracode: [Exploiting JNDI Injections in Java](https://www.veracode.com/blog/research/exploiting-jndi-injections-java).\n* Common Weakness Enumeration: [CWE-74](https://cwe.mitre.org/data/definitions/74.html).\n",
+                  "markdown": "# JNDI lookup with user-controlled name\nThe Java Naming and Directory Interface (JNDI) is a Java API for a directory service that allows Java software clients to discover and look up data and resources (in the form of Java objects) via a name. If the name being used to look up the data is controlled by the user, it can point to a malicious server, which can return an arbitrary object. In the worst case, this can allow remote code execution.\n\n\n## Recommendation\nThe general recommendation is to avoid passing untrusted data to the `InitialContext.lookup ` method. If the name being used to look up the object must be provided by the user, make sure that it's not in the form of an absolute URL or that it's the URL pointing to a trusted server.\n\n\n## Example\nIn the following examples, the code accepts a name from the user, which it uses to look up an object.\n\nIn the first example, the user provided name is used to look up an object.\n\nThe second example validates the name before using it to look up an object.\n\n\n```java\nimport javax.naming.Context;\nimport javax.naming.InitialContext;\n\npublic void jndiLookup(HttpServletRequest request) throws NamingException {\n  String name = request.getParameter(\"name\");\n\n  Hashtable env = new Hashtable();\n  env.put(Context.INITIAL_CONTEXT_FACTORY, \"com.sun.jndi.rmi.registry.RegistryContextFactory\");\n  env.put(Context.PROVIDER_URL, \"rmi://trusted-server:1099\");\n  InitialContext ctx = new InitialContext(env);\n\n  // BAD: User input used in lookup\n  ctx.lookup(name);\n\n  // GOOD: The name is validated before being used in lookup\n  if (isValid(name)) {\n    ctx.lookup(name);\n  } else {\n    // Reject the request\n  }\n}\n```\n\n## References\n* Oracle: [Java Naming and Directory Interface (JNDI)](https://docs.oracle.com/javase/8/docs/technotes/guides/jndi/).\n* Black Hat materials: [A Journey from JNDI/LDAP Manipulation to Remote Code Execution Dream Land](https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE-wp.pdf).\n* Veracode: [Exploiting JNDI Injections in Java](https://www.veracode.com/blog/research/exploiting-jndi-injections-java).\n* Common Weakness Enumeration: [CWE-74](https://cwe.mitre.org/data/definitions/74.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-074",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-074/JndiInjection.ql",
+                  "precision": "high",
+                  "security-severity": "9.8"
+                }
+              },
+              {
+                "id": "java/ldap-injection",
+                "name": "java/ldap-injection",
+                "shortDescription": {
+                  "text": "LDAP query built from user-controlled sources"
+                },
+                "fullDescription": {
+                  "text": "Building an LDAP query from user-controlled sources is vulnerable to insertion of malicious LDAP code by the user."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# LDAP query built from user-controlled sources\nIf an LDAP query is built using string concatenation, and the components of the concatenation include user input, a user is likely to be able to run malicious LDAP queries.\n\n\n## Recommendation\nIf user input must be included in an LDAP query, it should be escaped to avoid a malicious user providing special characters that change the meaning of the query. If possible build the LDAP query using framework helper methods, for example from Spring's `LdapQueryBuilder` and `LdapNameBuilder`, instead of string concatenation. Alternatively, escape user input using an appropriate LDAP encoding method, for example: `encodeForLDAP` or `encodeForDN` from OWASP ESAPI, `LdapEncoder.filterEncode` or `LdapEncoder.nameEncode` from Spring LDAP, or `Filter.encodeValue` from UnboundID library.\n\n\n## Example\nIn the following examples, the code accepts an \"organization name\" and a \"username\" from the user, which it uses to query LDAP.\n\nThe first example concatenates the unvalidated and unencoded user input directly into both the DN (Distinguished Name) and the search filter used for the LDAP query. A malicious user could provide special characters to change the meaning of these queries, and search for a completely different set of values. The LDAP query is executed using Java JNDI API.\n\nThe second example uses the OWASP ESAPI library to encode the user values before they are included in the DN and search filters. This ensures the meaning of the query cannot be changed by a malicious user.\n\n\n```java\nimport javax.naming.directory.DirContext;\nimport org.owasp.esapi.Encoder;\nimport org.owasp.esapi.reference.DefaultEncoder;\n\npublic void ldapQueryBad(HttpServletRequest request, DirContext ctx) throws NamingException {\n  String organizationName = request.getParameter(\"organization_name\");\n  String username = request.getParameter(\"username\");\n\n  // BAD: User input used in DN (Distinguished Name) without encoding\n  String dn = \"OU=People,O=\" + organizationName;\n\n  // BAD: User input used in search filter without encoding\n  String filter = \"username=\" + userName;\n\n  ctx.search(dn, filter, new SearchControls());\n}\n\npublic void ldapQueryGood(HttpServletRequest request, DirContext ctx) throws NamingException {\n  String organizationName = request.getParameter(\"organization_name\");\n  String username = request.getParameter(\"username\");\n\n  // ESAPI encoder\n  Encoder encoder = DefaultEncoder.getInstance();\n\n  // GOOD: Organization name is encoded before being used in DN\n  String safeOrganizationName = encoder.encodeForDN(organizationName);\n  String safeDn = \"OU=People,O=\" + safeOrganizationName;\n\n  // GOOD: User input is encoded before being used in search filter\n  String safeUsername = encoder.encodeForLDAP(username);\n  String safeFilter = \"username=\" + safeUsername;\n  \n  ctx.search(safeDn, safeFilter, new SearchControls());\n}\n```\nThe third example uses Spring `LdapQueryBuilder` to build an LDAP query. In addition to simplifying the building of complex search parameters, it also provides proper escaping of any unsafe characters in search filters. The DN is built using `LdapNameBuilder`, which also provides proper escaping.\n\n\n```java\nimport static org.springframework.ldap.query.LdapQueryBuilder.query;\nimport org.springframework.ldap.support.LdapNameBuilder;\n\npublic void ldapQueryGood(@RequestParam String organizationName, @RequestParam String username) {\n  // GOOD: Organization name is encoded before being used in DN\n  String safeDn = LdapNameBuilder.newInstance()\n    .add(\"O\", organizationName)\n    .add(\"OU=People\")\n    .build().toString();\n\n  // GOOD: User input is encoded before being used in search filter\n  LdapQuery query = query()\n    .base(safeDn)\n    .where(\"username\").is(username);\n\n  ldapTemplate.search(query, new AttributeCheckAttributesMapper());\n}\n```\nThe fourth example uses `UnboundID` classes, `Filter` and `DN`, to construct a safe filter and base DN.\n\n\n```java\nimport com.unboundid.ldap.sdk.LDAPConnection;\nimport com.unboundid.ldap.sdk.DN;\nimport com.unboundid.ldap.sdk.RDN;\nimport com.unboundid.ldap.sdk.Filter;\n\npublic void ldapQueryGood(HttpServletRequest request, LDAPConnection c) {\n  String organizationName = request.getParameter(\"organization_name\");\n  String username = request.getParameter(\"username\");\n\n  // GOOD: Organization name is encoded before being used in DN\n  DN safeDn = new DN(new RDN(\"OU\", \"People\"), new RDN(\"O\", organizationName));\n\n  // GOOD: User input is encoded before being used in search filter\n  Filter safeFilter = Filter.createEqualityFilter(\"username\", username);\n  \n  c.search(safeDn.toString(), SearchScope.ONE, safeFilter);\n}\n```\nThe fifth example shows how to build a safe filter and DN using the Apache LDAP API.\n\n\n```java\nimport org.apache.directory.ldap.client.api.LdapConnection;\nimport org.apache.directory.api.ldap.model.name.Dn;\nimport org.apache.directory.api.ldap.model.name.Rdn;\nimport org.apache.directory.api.ldap.model.message.SearchRequest;\nimport org.apache.directory.api.ldap.model.message.SearchRequestImpl;\nimport static org.apache.directory.ldap.client.api.search.FilterBuilder.equal;\n\npublic void ldapQueryGood(HttpServletRequest request, LdapConnection c) {\n  String organizationName = request.getParameter(\"organization_name\");\n  String username = request.getParameter(\"username\");\n\n  // GOOD: Organization name is encoded before being used in DN\n  Dn safeDn = new Dn(new Rdn(\"OU\", \"People\"), new Rdn(\"O\", organizationName));\n\n  // GOOD: User input is encoded before being used in search filter\n  String safeFilter = equal(\"username\", username);\n  \n  SearchRequest searchRequest = new SearchRequestImpl();\n  searchRequest.setBase(safeDn);\n  searchRequest.setFilter(safeFilter);\n  c.search(searchRequest);\n}\n```\n\n## References\n* OWASP: [LDAP Injection Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.html).\n* OWASP ESAPI: [OWASP ESAPI](https://owasp.org/www-project-enterprise-security-api/).\n* Spring LdapQueryBuilder doc: [LdapQueryBuilder](https://docs.spring.io/spring-ldap/docs/current/apidocs/org/springframework/ldap/query/LdapQueryBuilder.html).\n* Spring LdapNameBuilder doc: [LdapNameBuilder](https://docs.spring.io/spring-ldap/docs/current/apidocs/org/springframework/ldap/support/LdapNameBuilder.html).\n* UnboundID: [Understanding and Defending Against LDAP Injection Attacks](https://ldap.com/2018/05/04/understanding-and-defending-against-ldap-injection-attacks/).\n* Common Weakness Enumeration: [CWE-90](https://cwe.mitre.org/data/definitions/90.html).\n",
+                  "markdown": "# LDAP query built from user-controlled sources\nIf an LDAP query is built using string concatenation, and the components of the concatenation include user input, a user is likely to be able to run malicious LDAP queries.\n\n\n## Recommendation\nIf user input must be included in an LDAP query, it should be escaped to avoid a malicious user providing special characters that change the meaning of the query. If possible build the LDAP query using framework helper methods, for example from Spring's `LdapQueryBuilder` and `LdapNameBuilder`, instead of string concatenation. Alternatively, escape user input using an appropriate LDAP encoding method, for example: `encodeForLDAP` or `encodeForDN` from OWASP ESAPI, `LdapEncoder.filterEncode` or `LdapEncoder.nameEncode` from Spring LDAP, or `Filter.encodeValue` from UnboundID library.\n\n\n## Example\nIn the following examples, the code accepts an \"organization name\" and a \"username\" from the user, which it uses to query LDAP.\n\nThe first example concatenates the unvalidated and unencoded user input directly into both the DN (Distinguished Name) and the search filter used for the LDAP query. A malicious user could provide special characters to change the meaning of these queries, and search for a completely different set of values. The LDAP query is executed using Java JNDI API.\n\nThe second example uses the OWASP ESAPI library to encode the user values before they are included in the DN and search filters. This ensures the meaning of the query cannot be changed by a malicious user.\n\n\n```java\nimport javax.naming.directory.DirContext;\nimport org.owasp.esapi.Encoder;\nimport org.owasp.esapi.reference.DefaultEncoder;\n\npublic void ldapQueryBad(HttpServletRequest request, DirContext ctx) throws NamingException {\n  String organizationName = request.getParameter(\"organization_name\");\n  String username = request.getParameter(\"username\");\n\n  // BAD: User input used in DN (Distinguished Name) without encoding\n  String dn = \"OU=People,O=\" + organizationName;\n\n  // BAD: User input used in search filter without encoding\n  String filter = \"username=\" + userName;\n\n  ctx.search(dn, filter, new SearchControls());\n}\n\npublic void ldapQueryGood(HttpServletRequest request, DirContext ctx) throws NamingException {\n  String organizationName = request.getParameter(\"organization_name\");\n  String username = request.getParameter(\"username\");\n\n  // ESAPI encoder\n  Encoder encoder = DefaultEncoder.getInstance();\n\n  // GOOD: Organization name is encoded before being used in DN\n  String safeOrganizationName = encoder.encodeForDN(organizationName);\n  String safeDn = \"OU=People,O=\" + safeOrganizationName;\n\n  // GOOD: User input is encoded before being used in search filter\n  String safeUsername = encoder.encodeForLDAP(username);\n  String safeFilter = \"username=\" + safeUsername;\n  \n  ctx.search(safeDn, safeFilter, new SearchControls());\n}\n```\nThe third example uses Spring `LdapQueryBuilder` to build an LDAP query. In addition to simplifying the building of complex search parameters, it also provides proper escaping of any unsafe characters in search filters. The DN is built using `LdapNameBuilder`, which also provides proper escaping.\n\n\n```java\nimport static org.springframework.ldap.query.LdapQueryBuilder.query;\nimport org.springframework.ldap.support.LdapNameBuilder;\n\npublic void ldapQueryGood(@RequestParam String organizationName, @RequestParam String username) {\n  // GOOD: Organization name is encoded before being used in DN\n  String safeDn = LdapNameBuilder.newInstance()\n    .add(\"O\", organizationName)\n    .add(\"OU=People\")\n    .build().toString();\n\n  // GOOD: User input is encoded before being used in search filter\n  LdapQuery query = query()\n    .base(safeDn)\n    .where(\"username\").is(username);\n\n  ldapTemplate.search(query, new AttributeCheckAttributesMapper());\n}\n```\nThe fourth example uses `UnboundID` classes, `Filter` and `DN`, to construct a safe filter and base DN.\n\n\n```java\nimport com.unboundid.ldap.sdk.LDAPConnection;\nimport com.unboundid.ldap.sdk.DN;\nimport com.unboundid.ldap.sdk.RDN;\nimport com.unboundid.ldap.sdk.Filter;\n\npublic void ldapQueryGood(HttpServletRequest request, LDAPConnection c) {\n  String organizationName = request.getParameter(\"organization_name\");\n  String username = request.getParameter(\"username\");\n\n  // GOOD: Organization name is encoded before being used in DN\n  DN safeDn = new DN(new RDN(\"OU\", \"People\"), new RDN(\"O\", organizationName));\n\n  // GOOD: User input is encoded before being used in search filter\n  Filter safeFilter = Filter.createEqualityFilter(\"username\", username);\n  \n  c.search(safeDn.toString(), SearchScope.ONE, safeFilter);\n}\n```\nThe fifth example shows how to build a safe filter and DN using the Apache LDAP API.\n\n\n```java\nimport org.apache.directory.ldap.client.api.LdapConnection;\nimport org.apache.directory.api.ldap.model.name.Dn;\nimport org.apache.directory.api.ldap.model.name.Rdn;\nimport org.apache.directory.api.ldap.model.message.SearchRequest;\nimport org.apache.directory.api.ldap.model.message.SearchRequestImpl;\nimport static org.apache.directory.ldap.client.api.search.FilterBuilder.equal;\n\npublic void ldapQueryGood(HttpServletRequest request, LdapConnection c) {\n  String organizationName = request.getParameter(\"organization_name\");\n  String username = request.getParameter(\"username\");\n\n  // GOOD: Organization name is encoded before being used in DN\n  Dn safeDn = new Dn(new Rdn(\"OU\", \"People\"), new Rdn(\"O\", organizationName));\n\n  // GOOD: User input is encoded before being used in search filter\n  String safeFilter = equal(\"username\", username);\n  \n  SearchRequest searchRequest = new SearchRequestImpl();\n  searchRequest.setBase(safeDn);\n  searchRequest.setFilter(safeFilter);\n  c.search(searchRequest);\n}\n```\n\n## References\n* OWASP: [LDAP Injection Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.html).\n* OWASP ESAPI: [OWASP ESAPI](https://owasp.org/www-project-enterprise-security-api/).\n* Spring LdapQueryBuilder doc: [LdapQueryBuilder](https://docs.spring.io/spring-ldap/docs/current/apidocs/org/springframework/ldap/query/LdapQueryBuilder.html).\n* Spring LdapNameBuilder doc: [LdapNameBuilder](https://docs.spring.io/spring-ldap/docs/current/apidocs/org/springframework/ldap/support/LdapNameBuilder.html).\n* UnboundID: [Understanding and Defending Against LDAP Injection Attacks](https://ldap.com/2018/05/04/understanding-and-defending-against-ldap-injection-attacks/).\n* Common Weakness Enumeration: [CWE-90](https://cwe.mitre.org/data/definitions/90.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-090",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-090/LdapInjection.ql",
+                  "precision": "high",
+                  "security-severity": "9.8"
+                }
+              },
+              {
+                "id": "java/maven/dependency-upon-bintray",
+                "name": "java/maven/dependency-upon-bintray",
+                "shortDescription": {
+                  "text": "Depending upon JCenter/Bintray as an artifact repository"
+                },
+                "fullDescription": {
+                  "text": "Using a deprecated artifact repository may eventually give attackers access for a supply chain attack."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Depending upon JCenter/Bintray as an artifact repository\n[Bintray and JCenter are shutting down on February 1st, 2022](https://jfrog.com/blog/into-the-sunset-bintray-jcenter-gocenter-and-chartcenter/). Relying upon repositories that are deprecated or scheduled to be shutdown can have unintended consequences; for example, artifacts being resolved from a different artifact server or a total failure of the CI build.\n\nWhen artifact repositories are left unmaintained for a long period of time, vulnerabilities may emerge. Theoretically, this could allow attackers to inject malicious code into the artifacts that you are resolving and infect build artifacts that are being produced. This can be used by attackers to perform a [supply chain attack](https://en.wikipedia.org/wiki/Supply_chain_attack) against your project's users.\n\n\n## Recommendation\nAlways use the canonical repository for resolving your dependencies.\n\n\n## Example\nThe following example shows locations in a Maven POM file where artifact repository upload/download is configured. The use of Bintray in any of these locations is not advised.\n\n\n```xml\n\n\n\n    4.0.0\n\n    com.semmle\n    parent\n    1.0\n    pom\n\n    Bintray Usage\n    An example of using bintray to download and upload dependencies\n\n    \n        \n            jcenter\n            JCenter\n            \n            https://jcenter.bintray.com\n        \n        \n            jcenter-snapshots\n            JCenter\n            \n            https://jcenter.bintray.com\n        \n    \n    \n        \n            jcenter\n            JCenter\n            \n            https://jcenter.bintray.com\n        \n    \n    \n        \n            jcenter\n            JCenter\n            \n            https://dl.bintray.com/groovy/maven\n        \n    \n    \n        \n            jcenter-plugins\n            JCenter\n            \n            https://jcenter.bintray.com\n        \n    \n\n\n```\n\n## References\n* JFrog blog: [ Into the Sunset on May 1st: Bintray, JCenter, GoCenter, and ChartCenter ](https://jfrog.com/blog/into-the-sunset-bintray-jcenter-gocenter-and-chartcenter/)\n* Common Weakness Enumeration: [CWE-1104](https://cwe.mitre.org/data/definitions/1104.html).\n",
+                  "markdown": "# Depending upon JCenter/Bintray as an artifact repository\n[Bintray and JCenter are shutting down on February 1st, 2022](https://jfrog.com/blog/into-the-sunset-bintray-jcenter-gocenter-and-chartcenter/). Relying upon repositories that are deprecated or scheduled to be shutdown can have unintended consequences; for example, artifacts being resolved from a different artifact server or a total failure of the CI build.\n\nWhen artifact repositories are left unmaintained for a long period of time, vulnerabilities may emerge. Theoretically, this could allow attackers to inject malicious code into the artifacts that you are resolving and infect build artifacts that are being produced. This can be used by attackers to perform a [supply chain attack](https://en.wikipedia.org/wiki/Supply_chain_attack) against your project's users.\n\n\n## Recommendation\nAlways use the canonical repository for resolving your dependencies.\n\n\n## Example\nThe following example shows locations in a Maven POM file where artifact repository upload/download is configured. The use of Bintray in any of these locations is not advised.\n\n\n```xml\n\n\n\n    4.0.0\n\n    com.semmle\n    parent\n    1.0\n    pom\n\n    Bintray Usage\n    An example of using bintray to download and upload dependencies\n\n    \n        \n            jcenter\n            JCenter\n            \n            https://jcenter.bintray.com\n        \n        \n            jcenter-snapshots\n            JCenter\n            \n            https://jcenter.bintray.com\n        \n    \n    \n        \n            jcenter\n            JCenter\n            \n            https://jcenter.bintray.com\n        \n    \n    \n        \n            jcenter\n            JCenter\n            \n            https://dl.bintray.com/groovy/maven\n        \n    \n    \n        \n            jcenter-plugins\n            JCenter\n            \n            https://jcenter.bintray.com\n        \n    \n\n\n```\n\n## References\n* JFrog blog: [ Into the Sunset on May 1st: Bintray, JCenter, GoCenter, and ChartCenter ](https://jfrog.com/blog/into-the-sunset-bintray-jcenter-gocenter-and-chartcenter/)\n* Common Weakness Enumeration: [CWE-1104](https://cwe.mitre.org/data/definitions/1104.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-1104",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-1104/MavenPomDependsOnBintray.ql",
+                  "precision": "very-high",
+                  "security-severity": "6.5"
+                }
+              },
+              {
+                "id": "java/maven/non-https-url",
+                "name": "java/maven/non-https-url",
+                "shortDescription": {
+                  "text": "Failure to use HTTPS or SFTP URL in Maven artifact upload/download"
+                },
+                "fullDescription": {
+                  "text": "Non-HTTPS connections can be intercepted by third parties."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Failure to use HTTPS or SFTP URL in Maven artifact upload/download\nUsing an insecure protocol like HTTP or FTP to download your dependencies leaves your Maven build vulnerable to a [Man in the Middle (MITM)](https://en.wikipedia.org/wiki/Man-in-the-middle_attack). This can allow attackers to inject malicious code into the artifacts that you are resolving and infect build artifacts that are being produced. This can be used by attackers to perform a [Supply chain attack](https://en.wikipedia.org/wiki/Supply_chain_attack) against your project's users.\n\nThis vulnerability has a [ CVSS v3.1 base score of 8.1/10 ](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H&version=3.1).\n\n\n## Recommendation\nAlways use HTTPS or SFTP to download artifacts from artifact servers.\n\n\n## Example\nThese examples show examples of locations in Maven POM files where artifact repository upload/download is configured. The first shows the use of HTTP, the second shows the use of HTTPS.\n\n\n```xml\n\n\n\n    4.0.0\n\n    com.semmle\n    parent\n    1.0\n    pom\n\n    Security Testing\n    An example of insecure download and upload of dependencies\n\n    \n        \n            insecure-releases\n            Insecure Repository Releases\n            \n            http://insecure-repository.example\n        \n        \n            insecure-snapshots\n            Insecure Repository Snapshots\n            \n            http://insecure-repository.example\n        \n    \n    \n        \n            insecure\n            Insecure Repository\n            \n            http://insecure-repository.example\n        \n    \n    \n        \n            insecure-plugins\n            Insecure Repository Releases\n            \n            http://insecure-repository.example\n        \n    \n\n\n```\n\n```xml\n\n\n\n    4.0.0\n\n    com.semmle\n    parent\n    1.0\n    pom\n\n    Security Testing\n    An example of secure download and upload of dependencies\n\n    \n        \n            insecure-releases\n            Secure Repository Releases\n            \n            https://insecure-repository.example\n        \n        \n            insecure-snapshots\n            Secure Repository Snapshots\n            \n            https://insecure-repository.example\n        \n    \n    \n        \n            insecure\n            Secure Repository\n            \n            https://insecure-repository.example\n        \n    \n    \n        \n            insecure-plugins\n            Secure Repository Releases\n            \n            https://insecure-repository.example\n        \n    \n\n\n```\n\n## References\n* Research: [ Want to take over the Java ecosystem? All you need is a MITM! ](https://medium.com/bugbountywriteup/want-to-take-over-the-java-ecosystem-all-you-need-is-a-mitm-1fc329d898fb?source=friends_link&sk=3c99970c55a899ad9ef41f126efcde0e)\n* Research: [ How to take over the computer of any Java (or Closure or Scala) Developer. ](https://max.computer/blog/how-to-take-over-the-computer-of-any-java-or-clojure-or-scala-developer/)\n* Proof of Concept: [ mveytsman/dilettante ](https://github.com/mveytsman/dilettante)\n* Additional Gradle & Maven plugin: [ Announcing nohttp ](https://spring.io/blog/2019/06/10/announcing-nohttp)\n* Java Ecosystem Announcement: [ HTTP Decommission Artifact Server Announcements ](https://gist.github.com/JLLeitschuh/789e49e3d34092a005031a0a1880af99)\n* Common Weakness Enumeration: [CWE-300](https://cwe.mitre.org/data/definitions/300.html).\n* Common Weakness Enumeration: [CWE-319](https://cwe.mitre.org/data/definitions/319.html).\n* Common Weakness Enumeration: [CWE-494](https://cwe.mitre.org/data/definitions/494.html).\n* Common Weakness Enumeration: [CWE-829](https://cwe.mitre.org/data/definitions/829.html).\n",
+                  "markdown": "# Failure to use HTTPS or SFTP URL in Maven artifact upload/download\nUsing an insecure protocol like HTTP or FTP to download your dependencies leaves your Maven build vulnerable to a [Man in the Middle (MITM)](https://en.wikipedia.org/wiki/Man-in-the-middle_attack). This can allow attackers to inject malicious code into the artifacts that you are resolving and infect build artifacts that are being produced. This can be used by attackers to perform a [Supply chain attack](https://en.wikipedia.org/wiki/Supply_chain_attack) against your project's users.\n\nThis vulnerability has a [ CVSS v3.1 base score of 8.1/10 ](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H&version=3.1).\n\n\n## Recommendation\nAlways use HTTPS or SFTP to download artifacts from artifact servers.\n\n\n## Example\nThese examples show examples of locations in Maven POM files where artifact repository upload/download is configured. The first shows the use of HTTP, the second shows the use of HTTPS.\n\n\n```xml\n\n\n\n    4.0.0\n\n    com.semmle\n    parent\n    1.0\n    pom\n\n    Security Testing\n    An example of insecure download and upload of dependencies\n\n    \n        \n            insecure-releases\n            Insecure Repository Releases\n            \n            http://insecure-repository.example\n        \n        \n            insecure-snapshots\n            Insecure Repository Snapshots\n            \n            http://insecure-repository.example\n        \n    \n    \n        \n            insecure\n            Insecure Repository\n            \n            http://insecure-repository.example\n        \n    \n    \n        \n            insecure-plugins\n            Insecure Repository Releases\n            \n            http://insecure-repository.example\n        \n    \n\n\n```\n\n```xml\n\n\n\n    4.0.0\n\n    com.semmle\n    parent\n    1.0\n    pom\n\n    Security Testing\n    An example of secure download and upload of dependencies\n\n    \n        \n            insecure-releases\n            Secure Repository Releases\n            \n            https://insecure-repository.example\n        \n        \n            insecure-snapshots\n            Secure Repository Snapshots\n            \n            https://insecure-repository.example\n        \n    \n    \n        \n            insecure\n            Secure Repository\n            \n            https://insecure-repository.example\n        \n    \n    \n        \n            insecure-plugins\n            Secure Repository Releases\n            \n            https://insecure-repository.example\n        \n    \n\n\n```\n\n## References\n* Research: [ Want to take over the Java ecosystem? All you need is a MITM! ](https://medium.com/bugbountywriteup/want-to-take-over-the-java-ecosystem-all-you-need-is-a-mitm-1fc329d898fb?source=friends_link&sk=3c99970c55a899ad9ef41f126efcde0e)\n* Research: [ How to take over the computer of any Java (or Closure or Scala) Developer. ](https://max.computer/blog/how-to-take-over-the-computer-of-any-java-or-clojure-or-scala-developer/)\n* Proof of Concept: [ mveytsman/dilettante ](https://github.com/mveytsman/dilettante)\n* Additional Gradle & Maven plugin: [ Announcing nohttp ](https://spring.io/blog/2019/06/10/announcing-nohttp)\n* Java Ecosystem Announcement: [ HTTP Decommission Artifact Server Announcements ](https://gist.github.com/JLLeitschuh/789e49e3d34092a005031a0a1880af99)\n* Common Weakness Enumeration: [CWE-300](https://cwe.mitre.org/data/definitions/300.html).\n* Common Weakness Enumeration: [CWE-319](https://cwe.mitre.org/data/definitions/319.html).\n* Common Weakness Enumeration: [CWE-494](https://cwe.mitre.org/data/definitions/494.html).\n* Common Weakness Enumeration: [CWE-829](https://cwe.mitre.org/data/definitions/829.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-300",
+                    "external/cwe/cwe-319",
+                    "external/cwe/cwe-494",
+                    "external/cwe/cwe-829",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-829/InsecureDependencyResolution.ql",
+                  "precision": "very-high",
+                  "security-severity": "8.1"
+                }
+              },
+              {
+                "id": "java/missing-jwt-signature-check",
+                "name": "java/missing-jwt-signature-check",
+                "shortDescription": {
+                  "text": "Missing JWT signature check"
+                },
+                "fullDescription": {
+                  "text": "Failing to check the Json Web Token (JWT) signature may allow an attacker to forge their own tokens."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Missing JWT signature check\nA JSON Web Token (JWT) consists of three parts: header, payload, and signature. The `io.jsonwebtoken.jjwt` library is one of many libraries used for working with JWTs. It offers different methods for parsing tokens like `parse`, `parseClaimsJws`, and `parsePlaintextJws`. The last two correctly verify that the JWT is properly signed. This is done by computing the signature of the combination of header and payload and comparing the locally computed signature with the signature part of the JWT.\n\nTherefore it is necessary to provide the `JwtParser` with a key that is used for signature validation. Unfortunately the `parse` method **accepts** a JWT whose signature is empty although a signing key has been set for the parser. This means that an attacker can create arbitrary JWTs that will be accepted if this method is used.\n\n\n## Recommendation\nAlways verify the signature by using either the `parseClaimsJws` and `parsePlaintextJws` methods or by overriding the `onPlaintextJws` or `onClaimsJws` of `JwtHandlerAdapter`.\n\n\n## Example\nThe following example shows four cases where a signing key is set for a parser. In the first 'BAD' case the `parse` method is used, which will not validate the signature. The second 'BAD' case uses a `JwtHandlerAdapter` where the `onPlaintextJwt` method is overriden, so it will not validate the signature. The third and fourth 'GOOD' cases use `parseClaimsJws` method or override the `onPlaintextJws` method.\n\n\n```java\npublic void badJwt(String token) {\n    Jwts.parserBuilder()\n                .setSigningKey(\"someBase64EncodedKey\").build()\n                .parse(token); // BAD: Does not verify the signature\n}\n\npublic void badJwtHandler(String token) {\n    Jwts.parserBuilder()\n                .setSigningKey(\"someBase64EncodedKey\").build()\n                .parse(plaintextJwt, new JwtHandlerAdapter>() {\n                    @Override\n                    public Jwt onPlaintextJwt(Jwt jwt) {\n                        return jwt;\n                    }\n                }); // BAD: The handler is called on an unverified JWT\n}\n\npublic void goodJwt(String token) {\n    Jwts.parserBuilder()\n                .setSigningKey(\"someBase64EncodedKey\").build()\n                .parseClaimsJws(token) // GOOD: Verify the signature\n                .getBody();\n}\n\npublic void goodJwtHandler(String token) {\n    Jwts.parserBuilder()\n                .setSigningKey(\"someBase64EncodedKey\").build()\n                .parse(plaintextJwt, new JwtHandlerAdapter>() {\n                    @Override\n                    public Jws onPlaintextJws(Jws jws) {\n                        return jws;\n                    }\n                }); // GOOD: The handler is called on a verified JWS\n}\n```\n\n## References\n* zofrex: [How I Found An alg=none JWT Vulnerability in the NHS Contact Tracing App](https://www.zofrex.com/blog/2020/10/20/alg-none-jwt-nhs-contact-tracing-app/).\n* Common Weakness Enumeration: [CWE-347](https://cwe.mitre.org/data/definitions/347.html).\n",
+                  "markdown": "# Missing JWT signature check\nA JSON Web Token (JWT) consists of three parts: header, payload, and signature. The `io.jsonwebtoken.jjwt` library is one of many libraries used for working with JWTs. It offers different methods for parsing tokens like `parse`, `parseClaimsJws`, and `parsePlaintextJws`. The last two correctly verify that the JWT is properly signed. This is done by computing the signature of the combination of header and payload and comparing the locally computed signature with the signature part of the JWT.\n\nTherefore it is necessary to provide the `JwtParser` with a key that is used for signature validation. Unfortunately the `parse` method **accepts** a JWT whose signature is empty although a signing key has been set for the parser. This means that an attacker can create arbitrary JWTs that will be accepted if this method is used.\n\n\n## Recommendation\nAlways verify the signature by using either the `parseClaimsJws` and `parsePlaintextJws` methods or by overriding the `onPlaintextJws` or `onClaimsJws` of `JwtHandlerAdapter`.\n\n\n## Example\nThe following example shows four cases where a signing key is set for a parser. In the first 'BAD' case the `parse` method is used, which will not validate the signature. The second 'BAD' case uses a `JwtHandlerAdapter` where the `onPlaintextJwt` method is overriden, so it will not validate the signature. The third and fourth 'GOOD' cases use `parseClaimsJws` method or override the `onPlaintextJws` method.\n\n\n```java\npublic void badJwt(String token) {\n    Jwts.parserBuilder()\n                .setSigningKey(\"someBase64EncodedKey\").build()\n                .parse(token); // BAD: Does not verify the signature\n}\n\npublic void badJwtHandler(String token) {\n    Jwts.parserBuilder()\n                .setSigningKey(\"someBase64EncodedKey\").build()\n                .parse(plaintextJwt, new JwtHandlerAdapter>() {\n                    @Override\n                    public Jwt onPlaintextJwt(Jwt jwt) {\n                        return jwt;\n                    }\n                }); // BAD: The handler is called on an unverified JWT\n}\n\npublic void goodJwt(String token) {\n    Jwts.parserBuilder()\n                .setSigningKey(\"someBase64EncodedKey\").build()\n                .parseClaimsJws(token) // GOOD: Verify the signature\n                .getBody();\n}\n\npublic void goodJwtHandler(String token) {\n    Jwts.parserBuilder()\n                .setSigningKey(\"someBase64EncodedKey\").build()\n                .parse(plaintextJwt, new JwtHandlerAdapter>() {\n                    @Override\n                    public Jws onPlaintextJws(Jws jws) {\n                        return jws;\n                    }\n                }); // GOOD: The handler is called on a verified JWS\n}\n```\n\n## References\n* zofrex: [How I Found An alg=none JWT Vulnerability in the NHS Contact Tracing App](https://www.zofrex.com/blog/2020/10/20/alg-none-jwt-nhs-contact-tracing-app/).\n* Common Weakness Enumeration: [CWE-347](https://cwe.mitre.org/data/definitions/347.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-347",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-347/MissingJWTSignatureCheck.ql",
+                  "precision": "high",
+                  "security-severity": "7.8"
+                }
+              },
+              {
+                "id": "java/mvel-expression-injection",
+                "name": "java/mvel-expression-injection",
+                "shortDescription": {
+                  "text": "Expression language injection (MVEL)"
+                },
+                "fullDescription": {
+                  "text": "Evaluation of a user-controlled MVEL expression may lead to remote code execution."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Expression language injection (MVEL)\nMVEL is an expression language based on Java-syntax, which offers many features including invocation of methods available in the JVM. If a MVEL expression is built using attacker-controlled data, and then evaluated, then it may allow attackers to run arbitrary code.\n\n\n## Recommendation\nIncluding user input in a MVEL expression should be avoided.\n\n\n## Example\nIn the following sample, the first example uses untrusted data to build a MVEL expression and then runs it in the default context. In the second example, the untrusted data is validated with a custom method that checks that the expression does not contain unexpected code before evaluating it.\n\n\n```java\npublic void evaluate(Socket socket) throws IOException {\n  try (BufferedReader reader = new BufferedReader(\n    new InputStreamReader(socket.getInputStream()))) {\n  \n    String expression = reader.readLine();\n    // BAD: the user-provided expression is directly evaluated\n    MVEL.eval(expression);\n  }\n}\n\npublic void safeEvaluate(Socket socket) throws IOException {\n  try (BufferedReader reader = new BufferedReader(\n    new InputStreamReader(socket.getInputStream()))) {\n  \n    String expression = reader.readLine();\n    // GOOD: the user-provided expression is validated before evaluation\n    validateExpression(expression);\n    MVEL.eval(expression);\n  }\n}\n\nprivate void validateExpression(String expression) {\n  // Validate that the expression does not contain unexpected code.\n  // For instance, this can be done with allow-lists or deny-lists of code patterns.\n}\n```\n\n## References\n* MVEL Documentation: [Language Guide for 2.0](http://mvel.documentnode.com/).\n* OWASP: [Expression Language Injection](https://owasp.org/www-community/vulnerabilities/Expression_Language_Injection).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n",
+                  "markdown": "# Expression language injection (MVEL)\nMVEL is an expression language based on Java-syntax, which offers many features including invocation of methods available in the JVM. If a MVEL expression is built using attacker-controlled data, and then evaluated, then it may allow attackers to run arbitrary code.\n\n\n## Recommendation\nIncluding user input in a MVEL expression should be avoided.\n\n\n## Example\nIn the following sample, the first example uses untrusted data to build a MVEL expression and then runs it in the default context. In the second example, the untrusted data is validated with a custom method that checks that the expression does not contain unexpected code before evaluating it.\n\n\n```java\npublic void evaluate(Socket socket) throws IOException {\n  try (BufferedReader reader = new BufferedReader(\n    new InputStreamReader(socket.getInputStream()))) {\n  \n    String expression = reader.readLine();\n    // BAD: the user-provided expression is directly evaluated\n    MVEL.eval(expression);\n  }\n}\n\npublic void safeEvaluate(Socket socket) throws IOException {\n  try (BufferedReader reader = new BufferedReader(\n    new InputStreamReader(socket.getInputStream()))) {\n  \n    String expression = reader.readLine();\n    // GOOD: the user-provided expression is validated before evaluation\n    validateExpression(expression);\n    MVEL.eval(expression);\n  }\n}\n\nprivate void validateExpression(String expression) {\n  // Validate that the expression does not contain unexpected code.\n  // For instance, this can be done with allow-lists or deny-lists of code patterns.\n}\n```\n\n## References\n* MVEL Documentation: [Language Guide for 2.0](http://mvel.documentnode.com/).\n* OWASP: [Expression Language Injection](https://owasp.org/www-community/vulnerabilities/Expression_Language_Injection).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-094",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-094/MvelInjection.ql",
+                  "precision": "high",
+                  "security-severity": "9.3"
+                }
+              },
+              {
+                "id": "java/netty-http-request-or-response-splitting",
+                "name": "java/netty-http-request-or-response-splitting",
+                "shortDescription": {
+                  "text": "Disabled Netty HTTP header validation"
+                },
+                "fullDescription": {
+                  "text": "Disabling HTTP header validation makes code vulnerable to attack by header splitting if user input is written directly to an HTTP header."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Disabled Netty HTTP header validation\nDirectly writing user input (for example, an HTTP request parameter) to an HTTP header can lead to an HTTP request-splitting or response-splitting vulnerability.\n\nHTTP response splitting can lead to vulnerabilities such as XSS and cache poisoning.\n\nHTTP request splitting can allow an attacker to inject an additional HTTP request into a client's outgoing socket connection. This can allow an attacker to perform an SSRF-like attack.\n\nIn the context of a servlet container, if the user input includes blank lines and the servlet container does not escape the blank lines, then a remote user can cause the response to turn into two separate responses. The remote user can then control one or more responses, which is also HTTP response splitting.\n\n\n## Recommendation\nGuard against HTTP header splitting in the same way as guarding against cross-site scripting. Before passing any data into HTTP headers, either check the data for special characters, or escape any special characters that are present.\n\nIf the code calls Netty API's directly, ensure that the `validateHeaders` parameter is set to `true`.\n\n\n## Example\nThe following example shows the 'name' parameter being written to a cookie in two different ways. The first way writes it directly to the cookie, and thus is vulnerable to response-splitting attacks. The second way first removes all special characters, thus avoiding the potential problem.\n\n\n```java\npublic class ResponseSplitting extends HttpServlet {\n\tprotected void doGet(HttpServletRequest request, HttpServletResponse response)\n\tthrows ServletException, IOException {\n\t\t// BAD: setting a cookie with an unvalidated parameter\n\t\tCookie cookie = new Cookie(\"name\", request.getParameter(\"name\"));\n\t\tresponse.addCookie(cookie);\n\n\t\t// GOOD: remove special characters before putting them in the header\n\t\tString name = removeSpecial(request.getParameter(\"name\"));\n\t\tCookie cookie2 = new Cookie(\"name\", name);\n\t\tresponse.addCookie(cookie2);\n\t}\n\n\tprivate static String removeSpecial(String str) {\n\t\treturn str.replaceAll(\"[^a-zA-Z ]\", \"\");\n\t}\n}\n\n```\n\n## Example\nThe following example shows the use of the library 'netty' with HTTP response-splitting verification configurations. The second way will verify the parameters before using them to build the HTTP response.\n\n\n```java\nimport io.netty.handler.codec.http.DefaultHttpHeaders;\n\npublic class ResponseSplitting {\n    // BAD: Disables the internal response splitting verification\n    private final DefaultHttpHeaders badHeaders = new DefaultHttpHeaders(false);\n\n    // GOOD: Verifies headers passed don't contain CRLF characters\n    private final DefaultHttpHeaders goodHeaders = new DefaultHttpHeaders();\n\n    // BAD: Disables the internal response splitting verification\n    private final DefaultHttpResponse badResponse = new DefaultHttpResponse(version, httpResponseStatus, false);\n\n    // GOOD: Verifies headers passed don't contain CRLF characters\n    private final DefaultHttpResponse goodResponse = new DefaultHttpResponse(version, httpResponseStatus);\n}\n\n```\n\n## Example\nThe following example shows the use of the netty library with configurations for verification of HTTP request splitting. The second recommended approach in the example verifies the parameters before using them to build the HTTP request.\n\n\n```java\npublic class NettyRequestSplitting {\n    // BAD: Disables the internal request splitting verification\n    private final DefaultHttpHeaders badHeaders = new DefaultHttpHeaders(false);\n\n    // GOOD: Verifies headers passed don't contain CRLF characters\n    private final DefaultHttpHeaders goodHeaders = new DefaultHttpHeaders();\n\n    // BAD: Disables the internal request splitting verification\n    private final DefaultHttpRequest badRequest = new DefaultHttpRequest(httpVersion, method, uri, false);\n\n    // GOOD: Verifies headers passed don't contain CRLF characters\n    private final DefaultHttpRequest goodResponse = new DefaultHttpRequest(httpVersion, method, uri);\n}\n\n```\n\n## References\n* SecLists.org: [HTTP response splitting](https://seclists.org/bugtraq/2005/Apr/187).\n* OWASP: [HTTP Response Splitting](https://www.owasp.org/index.php/HTTP_Response_Splitting).\n* Wikipedia: [HTTP response splitting](http://en.wikipedia.org/wiki/HTTP_response_splitting).\n* CAPEC: [CAPEC-105: HTTP Request Splitting](https://capec.mitre.org/data/definitions/105.html)\n* Common Weakness Enumeration: [CWE-93](https://cwe.mitre.org/data/definitions/93.html).\n* Common Weakness Enumeration: [CWE-113](https://cwe.mitre.org/data/definitions/113.html).\n",
+                  "markdown": "# Disabled Netty HTTP header validation\nDirectly writing user input (for example, an HTTP request parameter) to an HTTP header can lead to an HTTP request-splitting or response-splitting vulnerability.\n\nHTTP response splitting can lead to vulnerabilities such as XSS and cache poisoning.\n\nHTTP request splitting can allow an attacker to inject an additional HTTP request into a client's outgoing socket connection. This can allow an attacker to perform an SSRF-like attack.\n\nIn the context of a servlet container, if the user input includes blank lines and the servlet container does not escape the blank lines, then a remote user can cause the response to turn into two separate responses. The remote user can then control one or more responses, which is also HTTP response splitting.\n\n\n## Recommendation\nGuard against HTTP header splitting in the same way as guarding against cross-site scripting. Before passing any data into HTTP headers, either check the data for special characters, or escape any special characters that are present.\n\nIf the code calls Netty API's directly, ensure that the `validateHeaders` parameter is set to `true`.\n\n\n## Example\nThe following example shows the 'name' parameter being written to a cookie in two different ways. The first way writes it directly to the cookie, and thus is vulnerable to response-splitting attacks. The second way first removes all special characters, thus avoiding the potential problem.\n\n\n```java\npublic class ResponseSplitting extends HttpServlet {\n\tprotected void doGet(HttpServletRequest request, HttpServletResponse response)\n\tthrows ServletException, IOException {\n\t\t// BAD: setting a cookie with an unvalidated parameter\n\t\tCookie cookie = new Cookie(\"name\", request.getParameter(\"name\"));\n\t\tresponse.addCookie(cookie);\n\n\t\t// GOOD: remove special characters before putting them in the header\n\t\tString name = removeSpecial(request.getParameter(\"name\"));\n\t\tCookie cookie2 = new Cookie(\"name\", name);\n\t\tresponse.addCookie(cookie2);\n\t}\n\n\tprivate static String removeSpecial(String str) {\n\t\treturn str.replaceAll(\"[^a-zA-Z ]\", \"\");\n\t}\n}\n\n```\n\n## Example\nThe following example shows the use of the library 'netty' with HTTP response-splitting verification configurations. The second way will verify the parameters before using them to build the HTTP response.\n\n\n```java\nimport io.netty.handler.codec.http.DefaultHttpHeaders;\n\npublic class ResponseSplitting {\n    // BAD: Disables the internal response splitting verification\n    private final DefaultHttpHeaders badHeaders = new DefaultHttpHeaders(false);\n\n    // GOOD: Verifies headers passed don't contain CRLF characters\n    private final DefaultHttpHeaders goodHeaders = new DefaultHttpHeaders();\n\n    // BAD: Disables the internal response splitting verification\n    private final DefaultHttpResponse badResponse = new DefaultHttpResponse(version, httpResponseStatus, false);\n\n    // GOOD: Verifies headers passed don't contain CRLF characters\n    private final DefaultHttpResponse goodResponse = new DefaultHttpResponse(version, httpResponseStatus);\n}\n\n```\n\n## Example\nThe following example shows the use of the netty library with configurations for verification of HTTP request splitting. The second recommended approach in the example verifies the parameters before using them to build the HTTP request.\n\n\n```java\npublic class NettyRequestSplitting {\n    // BAD: Disables the internal request splitting verification\n    private final DefaultHttpHeaders badHeaders = new DefaultHttpHeaders(false);\n\n    // GOOD: Verifies headers passed don't contain CRLF characters\n    private final DefaultHttpHeaders goodHeaders = new DefaultHttpHeaders();\n\n    // BAD: Disables the internal request splitting verification\n    private final DefaultHttpRequest badRequest = new DefaultHttpRequest(httpVersion, method, uri, false);\n\n    // GOOD: Verifies headers passed don't contain CRLF characters\n    private final DefaultHttpRequest goodResponse = new DefaultHttpRequest(httpVersion, method, uri);\n}\n\n```\n\n## References\n* SecLists.org: [HTTP response splitting](https://seclists.org/bugtraq/2005/Apr/187).\n* OWASP: [HTTP Response Splitting](https://www.owasp.org/index.php/HTTP_Response_Splitting).\n* Wikipedia: [HTTP response splitting](http://en.wikipedia.org/wiki/HTTP_response_splitting).\n* CAPEC: [CAPEC-105: HTTP Request Splitting](https://capec.mitre.org/data/definitions/105.html)\n* Common Weakness Enumeration: [CWE-93](https://cwe.mitre.org/data/definitions/93.html).\n* Common Weakness Enumeration: [CWE-113](https://cwe.mitre.org/data/definitions/113.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-113",
+                    "external/cwe/cwe-93",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-113/NettyResponseSplitting.ql",
+                  "precision": "high",
+                  "security-severity": "6.1"
+                }
+              },
+              {
+                "id": "java/ognl-injection",
+                "name": "java/ognl-injection",
+                "shortDescription": {
+                  "text": "OGNL Expression Language statement with user-controlled input"
+                },
+                "fullDescription": {
+                  "text": "Evaluation of OGNL Expression Language statement with user-controlled input can lead to execution of arbitrary code."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# OGNL Expression Language statement with user-controlled input\nObject-Graph Navigation Language (OGNL) is an open-source Expression Language (EL) for Java. OGNL can create or change executable code, consequently it can introduce critical security flaws to any application that uses it. Evaluation of unvalidated expressions is a common flaw in OGNL. This exposes the properties of Java objects to modification by an attacker and may allow them to execute arbitrary code.\n\n\n## Recommendation\nThe general recommendation is to avoid evaluating untrusted ONGL expressions. If user-provided OGNL expressions must be evaluated, do this in a sandbox and validate the expressions before evaluation.\n\n\n## Example\nIn the following examples, the code accepts an OGNL expression from the user and evaluates it.\n\nIn the first example, the user-provided OGNL expression is parsed and evaluated.\n\nThe second example validates the expression and evaluates it inside a sandbox. You can add a sandbox by setting a system property, as shown in the example, or by adding `-Dognl.security.manager` to JVM arguments.\n\n\n```java\nimport ognl.Ognl;\nimport ognl.OgnlException;\n\npublic void evaluate(HttpServletRequest request, Object root) throws OgnlException {\n  String expression = request.getParameter(\"expression\");\n\n  // BAD: User provided expression is evaluated\n  Ognl.getValue(expression, root);\n  \n  // GOOD: The name is validated and expression is evaluated in sandbox\n  System.setProperty(\"ognl.security.manager\", \"\"); // Or add -Dognl.security.manager to JVM args\n  if (isValid(expression)) {\n    Ognl.getValue(expression, root);\n  } else {\n    // Reject the request\n  }\n}\n\npublic void isValid(Strig expression) {\n  // Custom method to validate the expression.\n  // For instance, make sure it doesn't include unexpected code.\n}\n\n```\n\n## References\n* Apache Commons: [Apache Commons OGNL](https://commons.apache.org/proper/commons-ognl/).\n* Struts security: [Proactively protect from OGNL Expression Injections attacks](https://struts.apache.org/security/#proactively-protect-from-ognl-expression-injections-attacks-if-easily-applicable).\n* Common Weakness Enumeration: [CWE-917](https://cwe.mitre.org/data/definitions/917.html).\n",
+                  "markdown": "# OGNL Expression Language statement with user-controlled input\nObject-Graph Navigation Language (OGNL) is an open-source Expression Language (EL) for Java. OGNL can create or change executable code, consequently it can introduce critical security flaws to any application that uses it. Evaluation of unvalidated expressions is a common flaw in OGNL. This exposes the properties of Java objects to modification by an attacker and may allow them to execute arbitrary code.\n\n\n## Recommendation\nThe general recommendation is to avoid evaluating untrusted ONGL expressions. If user-provided OGNL expressions must be evaluated, do this in a sandbox and validate the expressions before evaluation.\n\n\n## Example\nIn the following examples, the code accepts an OGNL expression from the user and evaluates it.\n\nIn the first example, the user-provided OGNL expression is parsed and evaluated.\n\nThe second example validates the expression and evaluates it inside a sandbox. You can add a sandbox by setting a system property, as shown in the example, or by adding `-Dognl.security.manager` to JVM arguments.\n\n\n```java\nimport ognl.Ognl;\nimport ognl.OgnlException;\n\npublic void evaluate(HttpServletRequest request, Object root) throws OgnlException {\n  String expression = request.getParameter(\"expression\");\n\n  // BAD: User provided expression is evaluated\n  Ognl.getValue(expression, root);\n  \n  // GOOD: The name is validated and expression is evaluated in sandbox\n  System.setProperty(\"ognl.security.manager\", \"\"); // Or add -Dognl.security.manager to JVM args\n  if (isValid(expression)) {\n    Ognl.getValue(expression, root);\n  } else {\n    // Reject the request\n  }\n}\n\npublic void isValid(Strig expression) {\n  // Custom method to validate the expression.\n  // For instance, make sure it doesn't include unexpected code.\n}\n\n```\n\n## References\n* Apache Commons: [Apache Commons OGNL](https://commons.apache.org/proper/commons-ognl/).\n* Struts security: [Proactively protect from OGNL Expression Injections attacks](https://struts.apache.org/security/#proactively-protect-from-ognl-expression-injections-attacks-if-easily-applicable).\n* Common Weakness Enumeration: [CWE-917](https://cwe.mitre.org/data/definitions/917.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-917",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-917/OgnlInjection.ql",
+                  "precision": "high",
+                  "security-severity": "9.8"
+                }
+              },
+              {
+                "id": "java/overly-large-range",
+                "name": "java/overly-large-range",
+                "shortDescription": {
+                  "text": "Overly permissive regular expression range"
+                },
+                "fullDescription": {
+                  "text": "Overly permissive regular expression ranges match a wider range of characters than intended. This may allow an attacker to bypass a filter or sanitizer."
+                },
+                "defaultConfiguration": {},
+                "help": {
+                  "text": "# Overly permissive regular expression range\nIt's easy to write a regular expression range that matches a wider range of characters than you intended. For example, `/[a-zA-z]/` matches all lowercase and all uppercase letters, as you would expect, but it also matches the characters: `` [ \\ ] ^ _ ` ``.\n\nAnother common problem is failing to escape the dash character in a regular expression. An unescaped dash is interpreted as part of a range. For example, in the character class `[a-zA-Z0-9%=.,-_]` the last character range matches the 55 characters between `,` and `_` (both included), which overlaps with the range `[0-9]` and is clearly not intended by the writer.\n\n\n## Recommendation\nAvoid any confusion about which characters are included in the range by writing unambiguous regular expressions. Always check that character ranges match only the expected characters.\n\n\n## Example\nThe following example code is intended to check whether a string is a valid 6 digit hex color.\n\n```java\n\nimport java.util.regex.Pattern\npublic class Tester {\n    public static boolean is_valid_hex_color(String color) {\n        return Pattern.matches(\"#[0-9a-fA-f]{6}\", color);\n    }\n}\n\n```\nHowever, the `A-f` range is overly large and matches every uppercase character. It would parse a \"color\" like `#XXYYZZ` as valid.\n\nThe fix is to use an uppercase `A-F` range instead.\n\n```javascript\n\nimport java.util.regex.Pattern\npublic class Tester {\n    public static boolean is_valid_hex_color(String color) {\n        return Pattern.matches(\"#[0-9a-fA-F]{6}\", color);\n    }\n}\n\n```\n\n## References\n* GitHub Advisory Database: [CVE-2021-42740: Improper Neutralization of Special Elements used in a Command in Shell-quote](https://github.com/advisories/GHSA-g4rg-993r-mgx7)\n* wh0.github.io: [Exploiting CVE-2021-42740](https://wh0.github.io/2021/10/28/shell-quote-rce-exploiting.html)\n* Yosuke Ota: [no-obscure-range](https://ota-meshi.github.io/eslint-plugin-regexp/rules/no-obscure-range.html)\n* Paul Boyd: [The regex \\[,-.\\]](https://pboyd.io/posts/comma-dash-dot/)\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n",
+                  "markdown": "# Overly permissive regular expression range\nIt's easy to write a regular expression range that matches a wider range of characters than you intended. For example, `/[a-zA-z]/` matches all lowercase and all uppercase letters, as you would expect, but it also matches the characters: `` [ \\ ] ^ _ ` ``.\n\nAnother common problem is failing to escape the dash character in a regular expression. An unescaped dash is interpreted as part of a range. For example, in the character class `[a-zA-Z0-9%=.,-_]` the last character range matches the 55 characters between `,` and `_` (both included), which overlaps with the range `[0-9]` and is clearly not intended by the writer.\n\n\n## Recommendation\nAvoid any confusion about which characters are included in the range by writing unambiguous regular expressions. Always check that character ranges match only the expected characters.\n\n\n## Example\nThe following example code is intended to check whether a string is a valid 6 digit hex color.\n\n```java\n\nimport java.util.regex.Pattern\npublic class Tester {\n    public static boolean is_valid_hex_color(String color) {\n        return Pattern.matches(\"#[0-9a-fA-f]{6}\", color);\n    }\n}\n\n```\nHowever, the `A-f` range is overly large and matches every uppercase character. It would parse a \"color\" like `#XXYYZZ` as valid.\n\nThe fix is to use an uppercase `A-F` range instead.\n\n```javascript\n\nimport java.util.regex.Pattern\npublic class Tester {\n    public static boolean is_valid_hex_color(String color) {\n        return Pattern.matches(\"#[0-9a-fA-F]{6}\", color);\n    }\n}\n\n```\n\n## References\n* GitHub Advisory Database: [CVE-2021-42740: Improper Neutralization of Special Elements used in a Command in Shell-quote](https://github.com/advisories/GHSA-g4rg-993r-mgx7)\n* wh0.github.io: [Exploiting CVE-2021-42740](https://wh0.github.io/2021/10/28/shell-quote-rce-exploiting.html)\n* Yosuke Ota: [no-obscure-range](https://ota-meshi.github.io/eslint-plugin-regexp/rules/no-obscure-range.html)\n* Paul Boyd: [The regex \\[,-.\\]](https://pboyd.io/posts/comma-dash-dot/)\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "correctness",
+                    "external/cwe/cwe-020",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-020/OverlyLargeRange.ql",
+                  "precision": "high",
+                  "security-severity": "5"
+                }
+              },
+              {
+                "id": "java/partial-path-traversal-from-remote",
+                "name": "java/partial-path-traversal-from-remote",
+                "shortDescription": {
+                  "text": "Partial path traversal vulnerability from remote"
+                },
+                "fullDescription": {
+                  "text": "A prefix used to check that a canonicalised path falls within another must be slash-terminated."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Partial path traversal vulnerability from remote\nA common way to check that a user-supplied path `SUBDIR` falls inside a directory `DIR` is to use `getCanonicalPath()` to remove any path-traversal elements and then check that `DIR` is a prefix. However, if `DIR` is not slash-terminated, this can unexpectedly allow accessing siblings of `DIR`.\n\nSee also `java/partial-path-traversal`, which is similar to this query, but may also flag non-remotely-exploitable instances of partial path traversal vulnerabilities.\n\n\n## Recommendation\nIf the user should only access items within a certain directory `DIR`, ensure that `DIR` is slash-terminated before checking that `DIR` is a prefix of the user-provided path, `SUBDIR`. Note, Java's `getCanonicalPath()` returns a **non**-slash-terminated path string, so a slash must be added to `DIR` if that method is used.\n\n\n## Example\nIn this example, the `if` statement checks if `parent.getCanonicalPath()` is a prefix of `dir.getCanonicalPath()`. However, `parent.getCanonicalPath()` is not slash-terminated. This means that users that supply `dir` may be also allowed to access siblings of `parent` and not just children of `parent`, which is a security issue.\n\n\n```java\npublic class PartialPathTraversalBad {\n    public void example(File dir, File parent) throws IOException {\n        if (!dir.getCanonicalPath().startsWith(parent.getCanonicalPath())) {\n            throw new IOException(\"Path traversal attempt: \" + dir.getCanonicalPath());\n        }\n    }\n}\n\n```\nIn this example, the `if` statement checks if `parent.toPath()` is a prefix of `dir.normalize()`. Because `Path#startsWith` does the correct check that `dir` is a child of `parent`, users will not be able to access siblings of `parent`, as desired.\n\n\n```java\nimport java.io.File;\n\npublic class PartialPathTraversalGood {\n    public void example(File dir, File parent) throws IOException {\n        if (!dir.toPath().normalize().startsWith(parent.toPath())) {\n            throw new IOException(\"Path traversal attempt: \" + dir.getCanonicalPath());\n        }\n    }\n}\n\n```\n\n## References\n* OWASP: [Partial Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal).\n* CVE-2022-23457: [ ESAPI Vulnerability Report](https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/GHSL-2022-008_The_OWASP_Enterprise_Security_API.md).\n* Common Weakness Enumeration: [CWE-23](https://cwe.mitre.org/data/definitions/23.html).\n",
+                  "markdown": "# Partial path traversal vulnerability from remote\nA common way to check that a user-supplied path `SUBDIR` falls inside a directory `DIR` is to use `getCanonicalPath()` to remove any path-traversal elements and then check that `DIR` is a prefix. However, if `DIR` is not slash-terminated, this can unexpectedly allow accessing siblings of `DIR`.\n\nSee also `java/partial-path-traversal`, which is similar to this query, but may also flag non-remotely-exploitable instances of partial path traversal vulnerabilities.\n\n\n## Recommendation\nIf the user should only access items within a certain directory `DIR`, ensure that `DIR` is slash-terminated before checking that `DIR` is a prefix of the user-provided path, `SUBDIR`. Note, Java's `getCanonicalPath()` returns a **non**-slash-terminated path string, so a slash must be added to `DIR` if that method is used.\n\n\n## Example\nIn this example, the `if` statement checks if `parent.getCanonicalPath()` is a prefix of `dir.getCanonicalPath()`. However, `parent.getCanonicalPath()` is not slash-terminated. This means that users that supply `dir` may be also allowed to access siblings of `parent` and not just children of `parent`, which is a security issue.\n\n\n```java\npublic class PartialPathTraversalBad {\n    public void example(File dir, File parent) throws IOException {\n        if (!dir.getCanonicalPath().startsWith(parent.getCanonicalPath())) {\n            throw new IOException(\"Path traversal attempt: \" + dir.getCanonicalPath());\n        }\n    }\n}\n\n```\nIn this example, the `if` statement checks if `parent.toPath()` is a prefix of `dir.normalize()`. Because `Path#startsWith` does the correct check that `dir` is a child of `parent`, users will not be able to access siblings of `parent`, as desired.\n\n\n```java\nimport java.io.File;\n\npublic class PartialPathTraversalGood {\n    public void example(File dir, File parent) throws IOException {\n        if (!dir.toPath().normalize().startsWith(parent.toPath())) {\n            throw new IOException(\"Path traversal attempt: \" + dir.getCanonicalPath());\n        }\n    }\n}\n\n```\n\n## References\n* OWASP: [Partial Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal).\n* CVE-2022-23457: [ ESAPI Vulnerability Report](https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/GHSL-2022-008_The_OWASP_Enterprise_Security_API.md).\n* Common Weakness Enumeration: [CWE-23](https://cwe.mitre.org/data/definitions/23.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-023",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-023/PartialPathTraversalFromRemote.ql",
+                  "precision": "high",
+                  "security-severity": "9.3"
+                }
+              },
+              {
+                "id": "java/path-injection",
+                "name": "java/path-injection",
+                "shortDescription": {
+                  "text": "Uncontrolled data used in path expression"
+                },
+                "fullDescription": {
+                  "text": "Accessing paths influenced by users can allow an attacker to access unexpected resources."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Uncontrolled data used in path expression\nAccessing paths controlled by users can allow an attacker to access unexpected resources. This can result in sensitive information being revealed or deleted, or an attacker being able to influence behavior by modifying unexpected files.\n\nPaths that are naively constructed from data controlled by a user may be absolute paths, or may contain unexpected special characters such as \"..\". Such a path could point anywhere on the file system.\n\n\n## Recommendation\nValidate user input before using it to construct a file path.\n\nCommon validation methods include checking that the normalized path is relative and does not contain any \"..\" components, or checking that the path is contained within a safe folder. The method you should use depends on how the path is used in the application, and whether the path should be a single path component.\n\nIf the path should be a single path component (such as a file name), you can check for the existence of any path separators (\"/\" or \"\\\\\"), or \"..\" sequences in the input, and reject the input if any are found.\n\nNote that removing \"../\" sequences is *not* sufficient, since the input could still contain a path separator followed by \"..\". For example, the input \".../...//\" would still result in the string \"../\" if only \"../\" sequences are removed.\n\nFinally, the simplest (but most restrictive) option is to use an allow list of safe patterns and make sure that the user input matches one of these patterns.\n\n\n## Example\nIn this example, a file name is read from a `java.net.Socket` and then used to access a file and send it back over the socket. However, a malicious user could enter a file name anywhere on the file system, such as \"/etc/passwd\" or \"../../../etc/passwd\".\n\n\n```java\npublic void sendUserFile(Socket sock, String user) {\n\tBufferedReader filenameReader = new BufferedReader(\n\t\t\tnew InputStreamReader(sock.getInputStream(), \"UTF-8\"));\n\tString filename = filenameReader.readLine();\n\t// BAD: read from a file without checking its path\n\tBufferedReader fileReader = new BufferedReader(new FileReader(filename));\n\tString fileLine = fileReader.readLine();\n\twhile(fileLine != null) {\n\t\tsock.getOutputStream().write(fileLine.getBytes());\n\t\tfileLine = fileReader.readLine();\n\t}\n}\n\n```\nIf the input should only be a file name, you can check that it doesn't contain any path separators or \"..\" sequences.\n\n\n```java\npublic void sendUserFileGood(Socket sock, String user) {\n\tBufferedReader filenameReader = new BufferedReader(\n\t\t\tnew InputStreamReader(sock.getInputStream(), \"UTF-8\"));\n\tString filename = filenameReader.readLine();\n\t// GOOD: ensure that the filename has no path separators or parent directory references\n\tif (filename.contains(\"..\") || filename.contains(\"/\") || filename.contains(\"\\\\\")) {\n\t\tthrow new IllegalArgumentException(\"Invalid filename\");\n\t}\n\tBufferedReader fileReader = new BufferedReader(new FileReader(filename));\n\tString fileLine = fileReader.readLine();\n\twhile(fileLine != null) {\n\t\tsock.getOutputStream().write(fileLine.getBytes());\n\t\tfileLine = fileReader.readLine();\n\t}\t\n}\n\n```\nIf the input should be within a specific directory, you can check that the resolved path is still contained within that directory.\n\n\n```java\npublic void sendUserFileGood(Socket sock, String user) {\n\tBufferedReader filenameReader = new BufferedReader(\n\t\t\tnew InputStreamReader(sock.getInputStream(), \"UTF-8\"));\n\tString filename = filenameReader.readLine();\n\n\tPath publicFolder = Paths.get(\"/home/\" + user + \"/public\").normalize().toAbsolutePath();\n\tPath filePath = publicFolder.resolve(filename).normalize().toAbsolutePath();\n\n\t// GOOD: ensure that the path stays within the public folder\n\tif (!filePath.startsWith(publicFolder + File.separator)) {\n\t\tthrow new IllegalArgumentException(\"Invalid filename\");\n\t}\n\tBufferedReader fileReader = new BufferedReader(new FileReader(filePath.toString()));\n\tString fileLine = fileReader.readLine();\n\twhile(fileLine != null) {\n\t\tsock.getOutputStream().write(fileLine.getBytes());\n\t\tfileLine = fileReader.readLine();\n\t}\n}\n```\n\n## References\n* OWASP: [Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal).\n* Common Weakness Enumeration: [CWE-22](https://cwe.mitre.org/data/definitions/22.html).\n* Common Weakness Enumeration: [CWE-23](https://cwe.mitre.org/data/definitions/23.html).\n* Common Weakness Enumeration: [CWE-36](https://cwe.mitre.org/data/definitions/36.html).\n* Common Weakness Enumeration: [CWE-73](https://cwe.mitre.org/data/definitions/73.html).\n",
+                  "markdown": "# Uncontrolled data used in path expression\nAccessing paths controlled by users can allow an attacker to access unexpected resources. This can result in sensitive information being revealed or deleted, or an attacker being able to influence behavior by modifying unexpected files.\n\nPaths that are naively constructed from data controlled by a user may be absolute paths, or may contain unexpected special characters such as \"..\". Such a path could point anywhere on the file system.\n\n\n## Recommendation\nValidate user input before using it to construct a file path.\n\nCommon validation methods include checking that the normalized path is relative and does not contain any \"..\" components, or checking that the path is contained within a safe folder. The method you should use depends on how the path is used in the application, and whether the path should be a single path component.\n\nIf the path should be a single path component (such as a file name), you can check for the existence of any path separators (\"/\" or \"\\\\\"), or \"..\" sequences in the input, and reject the input if any are found.\n\nNote that removing \"../\" sequences is *not* sufficient, since the input could still contain a path separator followed by \"..\". For example, the input \".../...//\" would still result in the string \"../\" if only \"../\" sequences are removed.\n\nFinally, the simplest (but most restrictive) option is to use an allow list of safe patterns and make sure that the user input matches one of these patterns.\n\n\n## Example\nIn this example, a file name is read from a `java.net.Socket` and then used to access a file and send it back over the socket. However, a malicious user could enter a file name anywhere on the file system, such as \"/etc/passwd\" or \"../../../etc/passwd\".\n\n\n```java\npublic void sendUserFile(Socket sock, String user) {\n\tBufferedReader filenameReader = new BufferedReader(\n\t\t\tnew InputStreamReader(sock.getInputStream(), \"UTF-8\"));\n\tString filename = filenameReader.readLine();\n\t// BAD: read from a file without checking its path\n\tBufferedReader fileReader = new BufferedReader(new FileReader(filename));\n\tString fileLine = fileReader.readLine();\n\twhile(fileLine != null) {\n\t\tsock.getOutputStream().write(fileLine.getBytes());\n\t\tfileLine = fileReader.readLine();\n\t}\n}\n\n```\nIf the input should only be a file name, you can check that it doesn't contain any path separators or \"..\" sequences.\n\n\n```java\npublic void sendUserFileGood(Socket sock, String user) {\n\tBufferedReader filenameReader = new BufferedReader(\n\t\t\tnew InputStreamReader(sock.getInputStream(), \"UTF-8\"));\n\tString filename = filenameReader.readLine();\n\t// GOOD: ensure that the filename has no path separators or parent directory references\n\tif (filename.contains(\"..\") || filename.contains(\"/\") || filename.contains(\"\\\\\")) {\n\t\tthrow new IllegalArgumentException(\"Invalid filename\");\n\t}\n\tBufferedReader fileReader = new BufferedReader(new FileReader(filename));\n\tString fileLine = fileReader.readLine();\n\twhile(fileLine != null) {\n\t\tsock.getOutputStream().write(fileLine.getBytes());\n\t\tfileLine = fileReader.readLine();\n\t}\t\n}\n\n```\nIf the input should be within a specific directory, you can check that the resolved path is still contained within that directory.\n\n\n```java\npublic void sendUserFileGood(Socket sock, String user) {\n\tBufferedReader filenameReader = new BufferedReader(\n\t\t\tnew InputStreamReader(sock.getInputStream(), \"UTF-8\"));\n\tString filename = filenameReader.readLine();\n\n\tPath publicFolder = Paths.get(\"/home/\" + user + \"/public\").normalize().toAbsolutePath();\n\tPath filePath = publicFolder.resolve(filename).normalize().toAbsolutePath();\n\n\t// GOOD: ensure that the path stays within the public folder\n\tif (!filePath.startsWith(publicFolder + File.separator)) {\n\t\tthrow new IllegalArgumentException(\"Invalid filename\");\n\t}\n\tBufferedReader fileReader = new BufferedReader(new FileReader(filePath.toString()));\n\tString fileLine = fileReader.readLine();\n\twhile(fileLine != null) {\n\t\tsock.getOutputStream().write(fileLine.getBytes());\n\t\tfileLine = fileReader.readLine();\n\t}\n}\n```\n\n## References\n* OWASP: [Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal).\n* Common Weakness Enumeration: [CWE-22](https://cwe.mitre.org/data/definitions/22.html).\n* Common Weakness Enumeration: [CWE-23](https://cwe.mitre.org/data/definitions/23.html).\n* Common Weakness Enumeration: [CWE-36](https://cwe.mitre.org/data/definitions/36.html).\n* Common Weakness Enumeration: [CWE-73](https://cwe.mitre.org/data/definitions/73.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-022",
+                    "external/cwe/cwe-023",
+                    "external/cwe/cwe-036",
+                    "external/cwe/cwe-073",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-022/TaintedPath.ql",
+                  "precision": "high",
+                  "security-severity": "7.5"
+                }
+              },
+              {
+                "id": "java/polynomial-redos",
+                "name": "java/polynomial-redos",
+                "shortDescription": {
+                  "text": "Polynomial regular expression used on uncontrolled data"
+                },
+                "fullDescription": {
+                  "text": "A regular expression that can require polynomial time to match may be vulnerable to denial-of-service attacks."
+                },
+                "defaultConfiguration": {},
+                "help": {
+                  "text": "# Polynomial regular expression used on uncontrolled data\nSome regular expressions take a long time to match certain input strings to the point where the time it takes to match a string of length *n* is proportional to *nk* or even *2n*. Such regular expressions can negatively affect performance, or even allow a malicious user to perform a Denial of Service (\"DoS\") attack by crafting an expensive input string for the regular expression to match.\n\nThe regular expression engine provided by Java uses a backtracking non-deterministic finite automata to implement regular expression matching. While this approach is space-efficient and allows supporting advanced features like capture groups, it is not time-efficient in general. The worst-case time complexity of such an automaton can be polynomial or even exponential, meaning that for strings of a certain shape, increasing the input length by ten characters may make the automaton about 1000 times slower.\n\nTypically, a regular expression is affected by this problem if it contains a repetition of the form `r*` or `r+` where the sub-expression `r` is ambiguous in the sense that it can match some string in multiple ways. More information about the precise circumstances can be found in the references.\n\nNote that Java versions 9 and above have some mitigations against ReDoS; however they aren't perfect and more complex regular expressions can still be affected by this problem.\n\n\n## Recommendation\nModify the regular expression to remove the ambiguity, or ensure that the strings matched with the regular expression are short enough that the time-complexity does not matter. Alternatively, an alternate regex library that guarantees linear time execution, such as Google's RE2J, may be used.\n\n\n## Example\nConsider this use of a regular expression, which removes all leading and trailing whitespace in a string:\n\n```java\n\nPattern.compile(\"^\\\\s+|\\\\s+$\").matcher(text).replaceAll(\"\") // BAD\n```\nThe sub-expression `\"\\\\s+$\"` will match the whitespace characters in `text` from left to right, but it can start matching anywhere within a whitespace sequence. This is problematic for strings that do **not** end with a whitespace character. Such a string will force the regular expression engine to process each whitespace sequence once per whitespace character in the sequence.\n\nThis ultimately means that the time cost of trimming a string is quadratic in the length of the string. So a string like `\"a b\"` will take milliseconds to process, but a similar string with a million spaces instead of just one will take several minutes.\n\nAvoid this problem by rewriting the regular expression to not contain the ambiguity about when to start matching whitespace sequences. For instance, by using a negative look-behind (`\"^\\\\s+|(? 1000) {\n    throw new IllegalArgumentException(\"Input too long\");\n}\n\nPattern.matches(\"^(\\\\+|-)?(\\\\d+|(\\\\d*\\\\.\\\\d*))?(E|e)?([-+])?(\\\\d+)?$\", str); \n```\n\n## References\n* OWASP: [Regular expression Denial of Service - ReDoS](https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS).\n* Wikipedia: [ReDoS](https://en.wikipedia.org/wiki/ReDoS).\n* Wikipedia: [Time complexity](https://en.wikipedia.org/wiki/Time_complexity).\n* James Kirrage, Asiri Rathnayake, Hayo Thielecke: [Static Analysis for Regular Expression Denial-of-Service Attack](https://arxiv.org/abs/1301.0849).\n* Common Weakness Enumeration: [CWE-1333](https://cwe.mitre.org/data/definitions/1333.html).\n* Common Weakness Enumeration: [CWE-730](https://cwe.mitre.org/data/definitions/730.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n",
+                  "markdown": "# Polynomial regular expression used on uncontrolled data\nSome regular expressions take a long time to match certain input strings to the point where the time it takes to match a string of length *n* is proportional to *nk* or even *2n*. Such regular expressions can negatively affect performance, or even allow a malicious user to perform a Denial of Service (\"DoS\") attack by crafting an expensive input string for the regular expression to match.\n\nThe regular expression engine provided by Java uses a backtracking non-deterministic finite automata to implement regular expression matching. While this approach is space-efficient and allows supporting advanced features like capture groups, it is not time-efficient in general. The worst-case time complexity of such an automaton can be polynomial or even exponential, meaning that for strings of a certain shape, increasing the input length by ten characters may make the automaton about 1000 times slower.\n\nTypically, a regular expression is affected by this problem if it contains a repetition of the form `r*` or `r+` where the sub-expression `r` is ambiguous in the sense that it can match some string in multiple ways. More information about the precise circumstances can be found in the references.\n\nNote that Java versions 9 and above have some mitigations against ReDoS; however they aren't perfect and more complex regular expressions can still be affected by this problem.\n\n\n## Recommendation\nModify the regular expression to remove the ambiguity, or ensure that the strings matched with the regular expression are short enough that the time-complexity does not matter. Alternatively, an alternate regex library that guarantees linear time execution, such as Google's RE2J, may be used.\n\n\n## Example\nConsider this use of a regular expression, which removes all leading and trailing whitespace in a string:\n\n```java\n\nPattern.compile(\"^\\\\s+|\\\\s+$\").matcher(text).replaceAll(\"\") // BAD\n```\nThe sub-expression `\"\\\\s+$\"` will match the whitespace characters in `text` from left to right, but it can start matching anywhere within a whitespace sequence. This is problematic for strings that do **not** end with a whitespace character. Such a string will force the regular expression engine to process each whitespace sequence once per whitespace character in the sequence.\n\nThis ultimately means that the time cost of trimming a string is quadratic in the length of the string. So a string like `\"a b\"` will take milliseconds to process, but a similar string with a million spaces instead of just one will take several minutes.\n\nAvoid this problem by rewriting the regular expression to not contain the ambiguity about when to start matching whitespace sequences. For instance, by using a negative look-behind (`\"^\\\\s+|(? 1000) {\n    throw new IllegalArgumentException(\"Input too long\");\n}\n\nPattern.matches(\"^(\\\\+|-)?(\\\\d+|(\\\\d*\\\\.\\\\d*))?(E|e)?([-+])?(\\\\d+)?$\", str); \n```\n\n## References\n* OWASP: [Regular expression Denial of Service - ReDoS](https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS).\n* Wikipedia: [ReDoS](https://en.wikipedia.org/wiki/ReDoS).\n* Wikipedia: [Time complexity](https://en.wikipedia.org/wiki/Time_complexity).\n* James Kirrage, Asiri Rathnayake, Hayo Thielecke: [Static Analysis for Regular Expression Denial-of-Service Attack](https://arxiv.org/abs/1301.0849).\n* Common Weakness Enumeration: [CWE-1333](https://cwe.mitre.org/data/definitions/1333.html).\n* Common Weakness Enumeration: [CWE-730](https://cwe.mitre.org/data/definitions/730.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-1333",
+                    "external/cwe/cwe-400",
+                    "external/cwe/cwe-730",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-730/PolynomialReDoS.ql",
+                  "precision": "high",
+                  "security-severity": "7.5"
+                }
+              },
+              {
+                "id": "java/predictable-seed",
+                "name": "java/predictable-seed",
+                "shortDescription": {
+                  "text": "Use of a predictable seed in a secure random number generator"
+                },
+                "fullDescription": {
+                  "text": "Using a predictable seed in a pseudo-random number generator can lead to predictability of the numbers generated by it."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Use of a predictable seed in a secure random number generator\nUsing a predictable seed in a pseudo-random number generator can lead to predictability of the numbers generated by it.\n\n\n## Recommendation\nIf the predictability of the pseudo-random number generator does not matter then consider using the faster `Random` class from `java.util`. If it is important that the pseudo-random number generator produces completely unpredictable values then either let the generator securely seed itself by not specifying a seed or specify a randomly generated, unpredictable seed.\n\n\n## Example\nIn the first example shown here, a constant value is used as a seed. Depending on the implementation of ` SecureRandom`, this could lead to the same random number being generated each time the code is executed.\n\nIn the second example shown here, the system time is used as a seed. Depending on the implementation of ` SecureRandom`, if an attacker knows what time the code was run, they could predict the generated random number.\n\nIn the third example shown here, the random number generator is allowed to generate its own seed, which it will do in a secure way.\n\n\n```java\nSecureRandom prng = new SecureRandom();\nint randomData = 0;\n\n// BAD: Using a constant value as a seed for a random number generator means all numbers it generates are predictable.\nprng.setSeed(12345L);\nrandomData = prng.next(32);\n\n// BAD: System.currentTimeMillis() returns the system time which is predictable.\nprng.setSeed(System.currentTimeMillis());\nrandomData = prng.next(32);\n\n// GOOD: SecureRandom implementations seed themselves securely by default.\nprng = new SecureRandom();\nrandomData = prng.next(32);\n\n```\n\n## References\n* Common Weakness Enumeration: [CWE-335](https://cwe.mitre.org/data/definitions/335.html).\n* Common Weakness Enumeration: [CWE-337](https://cwe.mitre.org/data/definitions/337.html).\n",
+                  "markdown": "# Use of a predictable seed in a secure random number generator\nUsing a predictable seed in a pseudo-random number generator can lead to predictability of the numbers generated by it.\n\n\n## Recommendation\nIf the predictability of the pseudo-random number generator does not matter then consider using the faster `Random` class from `java.util`. If it is important that the pseudo-random number generator produces completely unpredictable values then either let the generator securely seed itself by not specifying a seed or specify a randomly generated, unpredictable seed.\n\n\n## Example\nIn the first example shown here, a constant value is used as a seed. Depending on the implementation of ` SecureRandom`, this could lead to the same random number being generated each time the code is executed.\n\nIn the second example shown here, the system time is used as a seed. Depending on the implementation of ` SecureRandom`, if an attacker knows what time the code was run, they could predict the generated random number.\n\nIn the third example shown here, the random number generator is allowed to generate its own seed, which it will do in a secure way.\n\n\n```java\nSecureRandom prng = new SecureRandom();\nint randomData = 0;\n\n// BAD: Using a constant value as a seed for a random number generator means all numbers it generates are predictable.\nprng.setSeed(12345L);\nrandomData = prng.next(32);\n\n// BAD: System.currentTimeMillis() returns the system time which is predictable.\nprng.setSeed(System.currentTimeMillis());\nrandomData = prng.next(32);\n\n// GOOD: SecureRandom implementations seed themselves securely by default.\nprng = new SecureRandom();\nrandomData = prng.next(32);\n\n```\n\n## References\n* Common Weakness Enumeration: [CWE-335](https://cwe.mitre.org/data/definitions/335.html).\n* Common Weakness Enumeration: [CWE-337](https://cwe.mitre.org/data/definitions/337.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-335",
+                    "external/cwe/cwe-337",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-335/PredictableSeed.ql",
+                  "precision": "high",
+                  "security-severity": "9.8"
+                }
+              },
+              {
+                "id": "java/redos",
+                "name": "java/redos",
+                "shortDescription": {
+                  "text": "Inefficient regular expression"
+                },
+                "fullDescription": {
+                  "text": "A regular expression that requires exponential time to match certain inputs can be a performance bottleneck, and may be vulnerable to denial-of-service attacks."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Inefficient regular expression\nSome regular expressions take a long time to match certain input strings to the point where the time it takes to match a string of length *n* is proportional to *nk* or even *2n*. Such regular expressions can negatively affect performance, or even allow a malicious user to perform a Denial of Service (\"DoS\") attack by crafting an expensive input string for the regular expression to match.\n\nThe regular expression engine provided by Java uses a backtracking non-deterministic finite automata to implement regular expression matching. While this approach is space-efficient and allows supporting advanced features like capture groups, it is not time-efficient in general. The worst-case time complexity of such an automaton can be polynomial or even exponential, meaning that for strings of a certain shape, increasing the input length by ten characters may make the automaton about 1000 times slower.\n\nTypically, a regular expression is affected by this problem if it contains a repetition of the form `r*` or `r+` where the sub-expression `r` is ambiguous in the sense that it can match some string in multiple ways. More information about the precise circumstances can be found in the references.\n\nNote that Java versions 9 and above have some mitigations against ReDoS; however they aren't perfect and more complex regular expressions can still be affected by this problem.\n\n\n## Recommendation\nModify the regular expression to remove the ambiguity, or ensure that the strings matched with the regular expression are short enough that the time-complexity does not matter. Alternatively, an alternate regex library that guarantees linear time execution, such as Google's RE2J, may be used.\n\n\n## Example\nConsider this regular expression:\n\n```java\n\n^_(__|.)+_$\n```\nIts sub-expression `\"(__|.)+?\"` can match the string `\"__\"` either by the first alternative `\"__\"` to the left of the `\"|\"` operator, or by two repetitions of the second alternative `\".\"` to the right. Thus, a string consisting of an odd number of underscores followed by some other character will cause the regular expression engine to run for an exponential amount of time before rejecting the input.\n\nThis problem can be avoided by rewriting the regular expression to remove the ambiguity between the two branches of the alternative inside the repetition:\n\n```java\n\n^_(__|[^_])+_$\n```\n\n## References\n* OWASP: [Regular expression Denial of Service - ReDoS](https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS).\n* Wikipedia: [ReDoS](https://en.wikipedia.org/wiki/ReDoS).\n* Wikipedia: [Time complexity](https://en.wikipedia.org/wiki/Time_complexity).\n* James Kirrage, Asiri Rathnayake, Hayo Thielecke: [Static Analysis for Regular Expression Denial-of-Service Attack](https://arxiv.org/abs/1301.0849).\n* Common Weakness Enumeration: [CWE-1333](https://cwe.mitre.org/data/definitions/1333.html).\n* Common Weakness Enumeration: [CWE-730](https://cwe.mitre.org/data/definitions/730.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n",
+                  "markdown": "# Inefficient regular expression\nSome regular expressions take a long time to match certain input strings to the point where the time it takes to match a string of length *n* is proportional to *nk* or even *2n*. Such regular expressions can negatively affect performance, or even allow a malicious user to perform a Denial of Service (\"DoS\") attack by crafting an expensive input string for the regular expression to match.\n\nThe regular expression engine provided by Java uses a backtracking non-deterministic finite automata to implement regular expression matching. While this approach is space-efficient and allows supporting advanced features like capture groups, it is not time-efficient in general. The worst-case time complexity of such an automaton can be polynomial or even exponential, meaning that for strings of a certain shape, increasing the input length by ten characters may make the automaton about 1000 times slower.\n\nTypically, a regular expression is affected by this problem if it contains a repetition of the form `r*` or `r+` where the sub-expression `r` is ambiguous in the sense that it can match some string in multiple ways. More information about the precise circumstances can be found in the references.\n\nNote that Java versions 9 and above have some mitigations against ReDoS; however they aren't perfect and more complex regular expressions can still be affected by this problem.\n\n\n## Recommendation\nModify the regular expression to remove the ambiguity, or ensure that the strings matched with the regular expression are short enough that the time-complexity does not matter. Alternatively, an alternate regex library that guarantees linear time execution, such as Google's RE2J, may be used.\n\n\n## Example\nConsider this regular expression:\n\n```java\n\n^_(__|.)+_$\n```\nIts sub-expression `\"(__|.)+?\"` can match the string `\"__\"` either by the first alternative `\"__\"` to the left of the `\"|\"` operator, or by two repetitions of the second alternative `\".\"` to the right. Thus, a string consisting of an odd number of underscores followed by some other character will cause the regular expression engine to run for an exponential amount of time before rejecting the input.\n\nThis problem can be avoided by rewriting the regular expression to remove the ambiguity between the two branches of the alternative inside the repetition:\n\n```java\n\n^_(__|[^_])+_$\n```\n\n## References\n* OWASP: [Regular expression Denial of Service - ReDoS](https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS).\n* Wikipedia: [ReDoS](https://en.wikipedia.org/wiki/ReDoS).\n* Wikipedia: [Time complexity](https://en.wikipedia.org/wiki/Time_complexity).\n* James Kirrage, Asiri Rathnayake, Hayo Thielecke: [Static Analysis for Regular Expression Denial-of-Service Attack](https://arxiv.org/abs/1301.0849).\n* Common Weakness Enumeration: [CWE-1333](https://cwe.mitre.org/data/definitions/1333.html).\n* Common Weakness Enumeration: [CWE-730](https://cwe.mitre.org/data/definitions/730.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-1333",
+                    "external/cwe/cwe-400",
+                    "external/cwe/cwe-730",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-730/ReDoS.ql",
+                  "precision": "high",
+                  "security-severity": "7.5"
+                }
+              },
+              {
+                "id": "java/regex-injection",
+                "name": "java/regex-injection",
+                "shortDescription": {
+                  "text": "Regular expression injection"
+                },
+                "fullDescription": {
+                  "text": "User input should not be used in regular expressions without first being escaped, otherwise a malicious user may be able to provide a regex that could require exponential time on certain inputs."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Regular expression injection\nConstructing a regular expression with unsanitized user input is dangerous as a malicious user may be able to modify the meaning of the expression. In particular, such a user may be able to provide a regular expression fragment that takes exponential time in the worst case, and use that to perform a Denial of Service attack.\n\n\n## Recommendation\nBefore embedding user input into a regular expression, use a sanitization function such as `Pattern.quote` to escape meta-characters that have special meaning.\n\n\n## Example\nThe following example shows an HTTP request parameter that is used to construct a regular expression.\n\nIn the first case the user-provided regex is not escaped. If a malicious user provides a regex whose worst-case performance is exponential, then this could lead to a Denial of Service.\n\nIn the second case, the user input is escaped using `Pattern.quote` before being included in the regular expression. This ensures that the user cannot insert characters which have a special meaning in regular expressions.\n\n\n```java\nimport java.util.regex.Pattern;\nimport javax.servlet.http.HttpServlet;\nimport javax.servlet.http.HttpServletRequest;\n\npublic class RegexInjectionDemo extends HttpServlet {\n\n  public boolean badExample(javax.servlet.http.HttpServletRequest request) {\n    String regex = request.getParameter(\"regex\");\n    String input = request.getParameter(\"input\");\n\n    // BAD: Unsanitized user input is used to construct a regular expression\n    return input.matches(regex);\n  }\n\n  public boolean goodExample(javax.servlet.http.HttpServletRequest request) {\n    String regex = request.getParameter(\"regex\");\n    String input = request.getParameter(\"input\");\n\n    // GOOD: User input is sanitized before constructing the regex\n    return input.matches(Pattern.quote(regex));\n  }\n}\n\n```\n\n## References\n* OWASP: [Regular expression Denial of Service - ReDoS](https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS).\n* Wikipedia: [ReDoS](https://en.wikipedia.org/wiki/ReDoS).\n* Java API Specification: [Pattern.quote](https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/util/regex/Pattern.html#quote(java.lang.String)).\n* Common Weakness Enumeration: [CWE-730](https://cwe.mitre.org/data/definitions/730.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n",
+                  "markdown": "# Regular expression injection\nConstructing a regular expression with unsanitized user input is dangerous as a malicious user may be able to modify the meaning of the expression. In particular, such a user may be able to provide a regular expression fragment that takes exponential time in the worst case, and use that to perform a Denial of Service attack.\n\n\n## Recommendation\nBefore embedding user input into a regular expression, use a sanitization function such as `Pattern.quote` to escape meta-characters that have special meaning.\n\n\n## Example\nThe following example shows an HTTP request parameter that is used to construct a regular expression.\n\nIn the first case the user-provided regex is not escaped. If a malicious user provides a regex whose worst-case performance is exponential, then this could lead to a Denial of Service.\n\nIn the second case, the user input is escaped using `Pattern.quote` before being included in the regular expression. This ensures that the user cannot insert characters which have a special meaning in regular expressions.\n\n\n```java\nimport java.util.regex.Pattern;\nimport javax.servlet.http.HttpServlet;\nimport javax.servlet.http.HttpServletRequest;\n\npublic class RegexInjectionDemo extends HttpServlet {\n\n  public boolean badExample(javax.servlet.http.HttpServletRequest request) {\n    String regex = request.getParameter(\"regex\");\n    String input = request.getParameter(\"input\");\n\n    // BAD: Unsanitized user input is used to construct a regular expression\n    return input.matches(regex);\n  }\n\n  public boolean goodExample(javax.servlet.http.HttpServletRequest request) {\n    String regex = request.getParameter(\"regex\");\n    String input = request.getParameter(\"input\");\n\n    // GOOD: User input is sanitized before constructing the regex\n    return input.matches(Pattern.quote(regex));\n  }\n}\n\n```\n\n## References\n* OWASP: [Regular expression Denial of Service - ReDoS](https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS).\n* Wikipedia: [ReDoS](https://en.wikipedia.org/wiki/ReDoS).\n* Java API Specification: [Pattern.quote](https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/util/regex/Pattern.html#quote(java.lang.String)).\n* Common Weakness Enumeration: [CWE-730](https://cwe.mitre.org/data/definitions/730.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-400",
+                    "external/cwe/cwe-730",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-730/RegexInjection.ql",
+                  "precision": "high",
+                  "security-severity": "7.5"
+                }
+              },
+              {
+                "id": "java/rsa-without-oaep",
+                "name": "java/rsa-without-oaep",
+                "shortDescription": {
+                  "text": "Use of RSA algorithm without OAEP"
+                },
+                "fullDescription": {
+                  "text": "Using RSA encryption without OAEP padding can result in a padding oracle attack, leading to a weaker encryption."
+                },
+                "defaultConfiguration": {},
+                "help": {
+                  "text": "# Use of RSA algorithm without OAEP\nCryptographic algorithms often use padding schemes to make the plaintext less predictable. The OAEP (Optimal Asymmetric Encryption Padding) scheme should be used with RSA encryption. Using an outdated padding scheme such as PKCS1, or no padding at all, can weaken the encryption by making it vulnerable to a padding oracle attack.\n\n\n## Recommendation\nUse the OAEP scheme when using RSA encryption.\n\n\n## Example\nIn the following example, the BAD case shows no padding being used, whereas the GOOD case shows an OAEP scheme being used.\n\n\n```java\n// BAD: No padding scheme is used\nCipher rsa = Cipher.getInstance(\"RSA/ECB/NoPadding\");\n...\n\n//GOOD: OAEP padding is used\nCipher rsa = Cipher.getInstance(\"RSA/ECB/OAEPWithSHA-1AndMGF1Padding\");\n...\n```\n\n## References\n* [Mobile Security Testing Guide](https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#padding-oracle-attacks-due-to-weaker-padding-or-block-operation-implementations).\n* [The Padding Oracle Attack](https://robertheaton.com/2013/07/29/padding-oracle-attack/).\n* Common Weakness Enumeration: [CWE-780](https://cwe.mitre.org/data/definitions/780.html).\n",
+                  "markdown": "# Use of RSA algorithm without OAEP\nCryptographic algorithms often use padding schemes to make the plaintext less predictable. The OAEP (Optimal Asymmetric Encryption Padding) scheme should be used with RSA encryption. Using an outdated padding scheme such as PKCS1, or no padding at all, can weaken the encryption by making it vulnerable to a padding oracle attack.\n\n\n## Recommendation\nUse the OAEP scheme when using RSA encryption.\n\n\n## Example\nIn the following example, the BAD case shows no padding being used, whereas the GOOD case shows an OAEP scheme being used.\n\n\n```java\n// BAD: No padding scheme is used\nCipher rsa = Cipher.getInstance(\"RSA/ECB/NoPadding\");\n...\n\n//GOOD: OAEP padding is used\nCipher rsa = Cipher.getInstance(\"RSA/ECB/OAEPWithSHA-1AndMGF1Padding\");\n...\n```\n\n## References\n* [Mobile Security Testing Guide](https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#padding-oracle-attacks-due-to-weaker-padding-or-block-operation-implementations).\n* [The Padding Oracle Attack](https://robertheaton.com/2013/07/29/padding-oracle-attack/).\n* Common Weakness Enumeration: [CWE-780](https://cwe.mitre.org/data/definitions/780.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-780",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-780/RsaWithoutOaep.ql",
+                  "precision": "high",
+                  "security-severity": "7.5"
+                }
+              },
+              {
+                "id": "java/server-side-template-injection",
+                "name": "java/server-side-template-injection",
+                "shortDescription": {
+                  "text": "Server-side template injection"
+                },
+                "fullDescription": {
+                  "text": "Untrusted input interpreted as a template can lead to remote code execution."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Server-side template injection\nTemplate injection occurs when user input is embedded in a template's code in an unsafe manner. An attacker can use native template syntax to inject a malicious payload into a template, which is then executed server-side. This permits the attacker to run arbitrary code in the server's context.\n\n\n## Recommendation\nTo fix this, ensure that untrusted input is not used as part of a template's code. If the application requirements do not allow this, use a sandboxed environment where access to unsafe attributes and methods is prohibited.\n\n\n## Example\nIn the example given below, an untrusted HTTP parameter `code` is used as a Velocity template string. This can lead to remote code execution.\n\n\n```java\n@Controller\npublic class VelocitySSTI {\n\n\t@GetMapping(value = \"bad\")\n\tpublic void bad(HttpServletRequest request) {\n\t\tVelocity.init();\n\n\t\tString code = request.getParameter(\"code\");\n\n\t\tVelocityContext context = new VelocityContext();\n\n\t\tcontext.put(\"name\", \"Velocity\");\n\t\tcontext.put(\"project\", \"Jakarta\");\n\n\t\tStringWriter w = new StringWriter();\n\t\t// evaluate( Context context, Writer out, String logTag, String instring )\n\t\tVelocity.evaluate(context, w, \"mystring\", code);\n\t}\n}\n\n```\nIn the next example, the problem is avoided by using a fixed template string `s`. Since the template's code is not attacker-controlled in this case, this solution prevents the execution of untrusted code.\n\n\n```java\n@Controller\npublic class VelocitySSTI {\n\n\t@GetMapping(value = \"good\")\n\tpublic void good(HttpServletRequest request) {\n\t\tVelocity.init();\n\t\tVelocityContext context = new VelocityContext();\n\n\t\tcontext.put(\"name\", \"Velocity\");\n\t\tcontext.put(\"project\", \"Jakarta\");\n\n\t\tString s = \"We are using $project $name to render this.\";\n\t\tStringWriter w = new StringWriter();\n\t\tVelocity.evaluate(context, w, \"mystring\", s);\n\t\tSystem.out.println(\" string : \" + w);\n\t}\n}\n\n```\n\n## References\n* Portswigger: [Server Side Template Injection](https://portswigger.net/web-security/server-side-template-injection).\n* Common Weakness Enumeration: [CWE-1336](https://cwe.mitre.org/data/definitions/1336.html).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n",
+                  "markdown": "# Server-side template injection\nTemplate injection occurs when user input is embedded in a template's code in an unsafe manner. An attacker can use native template syntax to inject a malicious payload into a template, which is then executed server-side. This permits the attacker to run arbitrary code in the server's context.\n\n\n## Recommendation\nTo fix this, ensure that untrusted input is not used as part of a template's code. If the application requirements do not allow this, use a sandboxed environment where access to unsafe attributes and methods is prohibited.\n\n\n## Example\nIn the example given below, an untrusted HTTP parameter `code` is used as a Velocity template string. This can lead to remote code execution.\n\n\n```java\n@Controller\npublic class VelocitySSTI {\n\n\t@GetMapping(value = \"bad\")\n\tpublic void bad(HttpServletRequest request) {\n\t\tVelocity.init();\n\n\t\tString code = request.getParameter(\"code\");\n\n\t\tVelocityContext context = new VelocityContext();\n\n\t\tcontext.put(\"name\", \"Velocity\");\n\t\tcontext.put(\"project\", \"Jakarta\");\n\n\t\tStringWriter w = new StringWriter();\n\t\t// evaluate( Context context, Writer out, String logTag, String instring )\n\t\tVelocity.evaluate(context, w, \"mystring\", code);\n\t}\n}\n\n```\nIn the next example, the problem is avoided by using a fixed template string `s`. Since the template's code is not attacker-controlled in this case, this solution prevents the execution of untrusted code.\n\n\n```java\n@Controller\npublic class VelocitySSTI {\n\n\t@GetMapping(value = \"good\")\n\tpublic void good(HttpServletRequest request) {\n\t\tVelocity.init();\n\t\tVelocityContext context = new VelocityContext();\n\n\t\tcontext.put(\"name\", \"Velocity\");\n\t\tcontext.put(\"project\", \"Jakarta\");\n\n\t\tString s = \"We are using $project $name to render this.\";\n\t\tStringWriter w = new StringWriter();\n\t\tVelocity.evaluate(context, w, \"mystring\", s);\n\t\tSystem.out.println(\" string : \" + w);\n\t}\n}\n\n```\n\n## References\n* Portswigger: [Server Side Template Injection](https://portswigger.net/web-security/server-side-template-injection).\n* Common Weakness Enumeration: [CWE-1336](https://cwe.mitre.org/data/definitions/1336.html).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-094",
+                    "external/cwe/cwe-1336",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-094/TemplateInjection.ql",
+                  "precision": "high",
+                  "security-severity": "9.3"
+                }
+              },
+              {
+                "id": "java/spel-expression-injection",
+                "name": "java/spel-expression-injection",
+                "shortDescription": {
+                  "text": "Expression language injection (Spring)"
+                },
+                "fullDescription": {
+                  "text": "Evaluation of a user-controlled Spring Expression Language (SpEL) expression may lead to remote code execution."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Expression language injection (Spring)\nThe Spring Expression Language (SpEL) is a powerful expression language provided by the Spring Framework. The language offers many features including invocation of methods available in the JVM. If a SpEL expression is built using attacker-controlled data, and then evaluated in a powerful context, then it may allow the attacker to run arbitrary code.\n\nThe `SpelExpressionParser` class parses a SpEL expression string and returns an `Expression` instance that can be then evaluated by calling one of its methods. By default, an expression is evaluated in a powerful `StandardEvaluationContext` that allows the expression to access other methods available in the JVM.\n\n\n## Recommendation\nIn general, including user input in a SpEL expression should be avoided. If user input must be included in the expression, it should be then evaluated in a limited context that doesn't allow arbitrary method invocation.\n\n\n## Example\nThe following example uses untrusted data to build a SpEL expression and then runs it in the default powerful context.\n\n\n```java\npublic Object evaluate(Socket socket) throws IOException {\n  try (BufferedReader reader = new BufferedReader(\n      new InputStreamReader(socket.getInputStream()))) {\n\n    String string = reader.readLine();\n    ExpressionParser parser = new SpelExpressionParser();\n    Expression expression = parser.parseExpression(string);\n    return expression.getValue();\n  }\n}\n```\nThe next example shows how an untrusted SpEL expression can be run in `SimpleEvaluationContext` that doesn't allow accessing arbitrary methods. However, it's recommended to avoid using untrusted input in SpEL expressions.\n\n\n```java\npublic Object evaluate(Socket socket) throws IOException {\n  try (BufferedReader reader = new BufferedReader(\n      new InputStreamReader(socket.getInputStream()))) {\n\n    String string = reader.readLine();\n    ExpressionParser parser = new SpelExpressionParser();\n    Expression expression = parser.parseExpression(string);\n    SimpleEvaluationContext context \n        = SimpleEvaluationContext.forReadWriteDataBinding().build();\n    return expression.getValue(context);\n  }\n}\n```\n\n## References\n* Spring Framework Reference Documentation: [Spring Expression Language (SpEL)](https://docs.spring.io/spring/docs/4.2.x/spring-framework-reference/html/expressions.html).\n* OWASP: [Expression Language Injection](https://owasp.org/www-community/vulnerabilities/Expression_Language_Injection).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n",
+                  "markdown": "# Expression language injection (Spring)\nThe Spring Expression Language (SpEL) is a powerful expression language provided by the Spring Framework. The language offers many features including invocation of methods available in the JVM. If a SpEL expression is built using attacker-controlled data, and then evaluated in a powerful context, then it may allow the attacker to run arbitrary code.\n\nThe `SpelExpressionParser` class parses a SpEL expression string and returns an `Expression` instance that can be then evaluated by calling one of its methods. By default, an expression is evaluated in a powerful `StandardEvaluationContext` that allows the expression to access other methods available in the JVM.\n\n\n## Recommendation\nIn general, including user input in a SpEL expression should be avoided. If user input must be included in the expression, it should be then evaluated in a limited context that doesn't allow arbitrary method invocation.\n\n\n## Example\nThe following example uses untrusted data to build a SpEL expression and then runs it in the default powerful context.\n\n\n```java\npublic Object evaluate(Socket socket) throws IOException {\n  try (BufferedReader reader = new BufferedReader(\n      new InputStreamReader(socket.getInputStream()))) {\n\n    String string = reader.readLine();\n    ExpressionParser parser = new SpelExpressionParser();\n    Expression expression = parser.parseExpression(string);\n    return expression.getValue();\n  }\n}\n```\nThe next example shows how an untrusted SpEL expression can be run in `SimpleEvaluationContext` that doesn't allow accessing arbitrary methods. However, it's recommended to avoid using untrusted input in SpEL expressions.\n\n\n```java\npublic Object evaluate(Socket socket) throws IOException {\n  try (BufferedReader reader = new BufferedReader(\n      new InputStreamReader(socket.getInputStream()))) {\n\n    String string = reader.readLine();\n    ExpressionParser parser = new SpelExpressionParser();\n    Expression expression = parser.parseExpression(string);\n    SimpleEvaluationContext context \n        = SimpleEvaluationContext.forReadWriteDataBinding().build();\n    return expression.getValue(context);\n  }\n}\n```\n\n## References\n* Spring Framework Reference Documentation: [Spring Expression Language (SpEL)](https://docs.spring.io/spring/docs/4.2.x/spring-framework-reference/html/expressions.html).\n* OWASP: [Expression Language Injection](https://owasp.org/www-community/vulnerabilities/Expression_Language_Injection).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-094",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-094/SpelInjection.ql",
+                  "precision": "high",
+                  "security-severity": "9.3"
+                }
+              },
+              {
+                "id": "java/spring-disabled-csrf-protection",
+                "name": "java/spring-disabled-csrf-protection",
+                "shortDescription": {
+                  "text": "Disabled Spring CSRF protection"
+                },
+                "fullDescription": {
+                  "text": "Disabling CSRF protection makes the application vulnerable to a Cross-Site Request Forgery (CSRF) attack."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Disabled Spring CSRF protection\nWhen you set up a web server to receive a request from a client without any mechanism for verifying that it was intentionally sent, then it is vulnerable to attack. An attacker can trick a client into making an unintended request to the web server that will be treated as an authentic request. This can be done via a URL, image load, XMLHttpRequest, etc. and can result in exposure of data or unintended code execution.\n\n\n## Recommendation\nWhen you use Spring, Cross-Site Request Forgery (CSRF) protection is enabled by default. Spring's recommendation is to use CSRF protection for any request that could be processed by a browser client by normal users.\n\n\n## Example\nThe following example shows the Spring Java configuration with CSRF protection disabled. This type of configuration should only be used if you are creating a service that is used only by non-browser clients.\n\n\n```java\nimport org.springframework.context.annotation.Configuration;\nimport org.springframework.security.config.annotation.web.builders.HttpSecurity;\nimport org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;\nimport org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;\n\n@EnableWebSecurity\n@Configuration\npublic class WebSecurityConfig extends WebSecurityConfigurerAdapter {\n  @Override\n  protected void configure(HttpSecurity http) throws Exception {\n    http\n      .csrf(csrf ->\n        // BAD - CSRF protection shouldn't be disabled\n        csrf.disable() \n      );\n  }\n}\n\n```\n\n## References\n* OWASP: [Cross-Site Request Forgery (CSRF)](https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)).\n* Spring Security Reference: [ Cross Site Request Forgery (CSRF) ](https://docs.spring.io/spring-security/reference/servlet/exploits/csrf.html).\n* Common Weakness Enumeration: [CWE-352](https://cwe.mitre.org/data/definitions/352.html).\n",
+                  "markdown": "# Disabled Spring CSRF protection\nWhen you set up a web server to receive a request from a client without any mechanism for verifying that it was intentionally sent, then it is vulnerable to attack. An attacker can trick a client into making an unintended request to the web server that will be treated as an authentic request. This can be done via a URL, image load, XMLHttpRequest, etc. and can result in exposure of data or unintended code execution.\n\n\n## Recommendation\nWhen you use Spring, Cross-Site Request Forgery (CSRF) protection is enabled by default. Spring's recommendation is to use CSRF protection for any request that could be processed by a browser client by normal users.\n\n\n## Example\nThe following example shows the Spring Java configuration with CSRF protection disabled. This type of configuration should only be used if you are creating a service that is used only by non-browser clients.\n\n\n```java\nimport org.springframework.context.annotation.Configuration;\nimport org.springframework.security.config.annotation.web.builders.HttpSecurity;\nimport org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;\nimport org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;\n\n@EnableWebSecurity\n@Configuration\npublic class WebSecurityConfig extends WebSecurityConfigurerAdapter {\n  @Override\n  protected void configure(HttpSecurity http) throws Exception {\n    http\n      .csrf(csrf ->\n        // BAD - CSRF protection shouldn't be disabled\n        csrf.disable() \n      );\n  }\n}\n\n```\n\n## References\n* OWASP: [Cross-Site Request Forgery (CSRF)](https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)).\n* Spring Security Reference: [ Cross Site Request Forgery (CSRF) ](https://docs.spring.io/spring-security/reference/servlet/exploits/csrf.html).\n* Common Weakness Enumeration: [CWE-352](https://cwe.mitre.org/data/definitions/352.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-352",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-352/SpringCSRFProtection.ql",
+                  "precision": "high",
+                  "security-severity": "8.8"
+                }
+              },
+              {
+                "id": "java/sql-injection",
+                "name": "java/sql-injection",
+                "shortDescription": {
+                  "text": "Query built from user-controlled sources"
+                },
+                "fullDescription": {
+                  "text": "Building a SQL or Java Persistence query from user-controlled sources is vulnerable to insertion of malicious code by the user."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Query built from user-controlled sources\nIf a database query is built using string concatenation, and the components of the concatenation include user input, a user is likely to be able to run malicious database queries. This applies to various database query languages, including SQL and the Java Persistence Query Language.\n\n\n## Recommendation\nUsually, it is better to use a SQL prepared statement than to build a complete SQL query with string concatenation. A prepared statement can include a wildcard, written as a question mark (?), for each part of the SQL query that is expected to be filled in by a different value each time it is run. When the query is later executed, a value must be supplied for each wildcard in the query.\n\nIn the Java Persistence Query Language, it is better to use queries with parameters than to build a complete query with string concatenation. A Java Persistence query can include a parameter placeholder for each part of the query that is expected to be filled in by a different value when run. A parameter placeholder may be indicated by a colon (:) followed by a parameter name, or by a question mark (?) followed by an integer position. When the query is later executed, a value must be supplied for each parameter in the query, using the `setParameter` method. Specifying the query using the `@NamedQuery` annotation introduces an additional level of safety: the query must be a constant string literal, preventing construction by string concatenation, and the only way to fill in values for parts of the query is by setting positional parameters.\n\nIt is good practice to use prepared statements (in SQL) or query parameters (in the Java Persistence Query Language) for supplying parameter values to a query, whether or not any of the parameters are directly traceable to user input. Doing so avoids any need to worry about quoting and escaping.\n\n\n## Example\nIn the following example, the code runs a simple SQL query in two different ways.\n\nThe first way involves building a query, `query1`, by concatenating an environment variable with some string literals. The environment variable can include special characters, so this code allows for SQL injection attacks.\n\nThe second way, which shows good practice, involves building a query, `query2`, with a single string literal that includes a wildcard (`?`). The wildcard is then given a value by calling `setString`. This version is immune to injection attacks, because any special characters in the environment variable are not given any special treatment.\n\n\n```java\n{\n    // BAD: the category might have SQL special characters in it\n    String category = System.getenv(\"ITEM_CATEGORY\");\n    Statement statement = connection.createStatement();\n    String query1 = \"SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='\"\n        + category + \"' ORDER BY PRICE\";\n    ResultSet results = statement.executeQuery(query1);\n}\n\n{\n    // GOOD: use a prepared query\n    String category = System.getenv(\"ITEM_CATEGORY\");\n    String query2 = \"SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY=? ORDER BY PRICE\";\n    PreparedStatement statement = connection.prepareStatement(query2);\n    statement.setString(1, category);\n    ResultSet results = statement.executeQuery();\n}\n```\n\n## Example\nThe following code shows several different ways to run a Java Persistence query.\n\nThe first example involves building a query, `query1`, by concatenating an environment variable with some string literals. Just like the SQL example, the environment variable can include special characters, so this code allows for Java Persistence query injection attacks.\n\nThe remaining examples demonstrate different methods for safely building a Java Persistence query with user-supplied values:\n\n1. `query2` uses a single string literal that includes a placeholder for a parameter, indicated by a colon (`:`) and parameter name (`category`).\n1. `query3` uses a single string literal that includes a placeholder for a parameter, indicated by a question mark (`?`) and position number (`1`).\n1. `namedQuery1` is defined using the `@NamedQuery` annotation, whose `query` attribute is a string literal that includes a placeholder for a parameter, indicated by a colon (`:`) and parameter name (`category`).\n1. `namedQuery2` is defined using the `@NamedQuery` annotation, whose `query` attribute includes a placeholder for a parameter, indicated by a question mark (`?`) and position number (`1`).\nThe parameter is then given a value by calling `setParameter`. These versions are immune to injection attacks, because any special characters in the environment variable or user-supplied value are not given any special treatment.\n\n\n```java\n{\n    // BAD: the category might have Java Persistence Query Language special characters in it\n    String category = System.getenv(\"ITEM_CATEGORY\");\n    Statement statement = connection.createStatement();\n    String query1 = \"SELECT p FROM Product p WHERE p.category LIKE '\"\n        + category + \"' ORDER BY p.price\";\n    Query q = entityManager.createQuery(query1);\n}\n\n{\n    // GOOD: use a named parameter and set its value\n    String category = System.getenv(\"ITEM_CATEGORY\");\n    String query2 = \"SELECT p FROM Product p WHERE p.category LIKE :category ORDER BY p.price\"\n    Query q = entityManager.createQuery(query2);\n    q.setParameter(\"category\", category);\n}\n\n{\n    // GOOD: use a positional parameter and set its value\n    String category = System.getenv(\"ITEM_CATEGORY\");\n    String query3 = \"SELECT p FROM Product p WHERE p.category LIKE ?1 ORDER BY p.price\"\n    Query q = entityManager.createQuery(query3);\n    q.setParameter(1, category);\n}\n\n{\n    // GOOD: use a named query with a named parameter and set its value\n    @NamedQuery(\n            name=\"lookupByCategory\",\n            query=\"SELECT p FROM Product p WHERE p.category LIKE :category ORDER BY p.price\")\n    private static class NQ {}\n    ...\n    String category = System.getenv(\"ITEM_CATEGORY\");\n    Query namedQuery1 = entityManager.createNamedQuery(\"lookupByCategory\");\n    namedQuery1.setParameter(\"category\", category);\n}\n\n{\n    // GOOD: use a named query with a positional parameter and set its value\n    @NamedQuery(\n            name=\"lookupByCategory\",\n            query=\"SELECT p FROM Product p WHERE p.category LIKE ?1 ORDER BY p.price\")\n    private static class NQ {}\n    ...\n    String category = System.getenv(\"ITEM_CATEGORY\");\n    Query namedQuery2 = entityManager.createNamedQuery(\"lookupByCategory\");\n    namedQuery2.setParameter(1, category);\n}\n```\n\n## References\n* OWASP: [SQL Injection Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html).\n* SEI CERT Oracle Coding Standard for Java: [IDS00-J. Prevent SQL injection](https://wiki.sei.cmu.edu/confluence/display/java/IDS00-J.+Prevent+SQL+injection).\n* The Java Tutorials: [Using Prepared Statements](https://docs.oracle.com/javase/tutorial/jdbc/basics/prepared.html).\n* The Java EE Tutorial: [The Java Persistence Query Language](https://docs.oracle.com/javaee/7/tutorial/persistence-querylanguage.htm).\n* Common Weakness Enumeration: [CWE-89](https://cwe.mitre.org/data/definitions/89.html).\n* Common Weakness Enumeration: [CWE-564](https://cwe.mitre.org/data/definitions/564.html).\n",
+                  "markdown": "# Query built from user-controlled sources\nIf a database query is built using string concatenation, and the components of the concatenation include user input, a user is likely to be able to run malicious database queries. This applies to various database query languages, including SQL and the Java Persistence Query Language.\n\n\n## Recommendation\nUsually, it is better to use a SQL prepared statement than to build a complete SQL query with string concatenation. A prepared statement can include a wildcard, written as a question mark (?), for each part of the SQL query that is expected to be filled in by a different value each time it is run. When the query is later executed, a value must be supplied for each wildcard in the query.\n\nIn the Java Persistence Query Language, it is better to use queries with parameters than to build a complete query with string concatenation. A Java Persistence query can include a parameter placeholder for each part of the query that is expected to be filled in by a different value when run. A parameter placeholder may be indicated by a colon (:) followed by a parameter name, or by a question mark (?) followed by an integer position. When the query is later executed, a value must be supplied for each parameter in the query, using the `setParameter` method. Specifying the query using the `@NamedQuery` annotation introduces an additional level of safety: the query must be a constant string literal, preventing construction by string concatenation, and the only way to fill in values for parts of the query is by setting positional parameters.\n\nIt is good practice to use prepared statements (in SQL) or query parameters (in the Java Persistence Query Language) for supplying parameter values to a query, whether or not any of the parameters are directly traceable to user input. Doing so avoids any need to worry about quoting and escaping.\n\n\n## Example\nIn the following example, the code runs a simple SQL query in two different ways.\n\nThe first way involves building a query, `query1`, by concatenating an environment variable with some string literals. The environment variable can include special characters, so this code allows for SQL injection attacks.\n\nThe second way, which shows good practice, involves building a query, `query2`, with a single string literal that includes a wildcard (`?`). The wildcard is then given a value by calling `setString`. This version is immune to injection attacks, because any special characters in the environment variable are not given any special treatment.\n\n\n```java\n{\n    // BAD: the category might have SQL special characters in it\n    String category = System.getenv(\"ITEM_CATEGORY\");\n    Statement statement = connection.createStatement();\n    String query1 = \"SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='\"\n        + category + \"' ORDER BY PRICE\";\n    ResultSet results = statement.executeQuery(query1);\n}\n\n{\n    // GOOD: use a prepared query\n    String category = System.getenv(\"ITEM_CATEGORY\");\n    String query2 = \"SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY=? ORDER BY PRICE\";\n    PreparedStatement statement = connection.prepareStatement(query2);\n    statement.setString(1, category);\n    ResultSet results = statement.executeQuery();\n}\n```\n\n## Example\nThe following code shows several different ways to run a Java Persistence query.\n\nThe first example involves building a query, `query1`, by concatenating an environment variable with some string literals. Just like the SQL example, the environment variable can include special characters, so this code allows for Java Persistence query injection attacks.\n\nThe remaining examples demonstrate different methods for safely building a Java Persistence query with user-supplied values:\n\n1. `query2` uses a single string literal that includes a placeholder for a parameter, indicated by a colon (`:`) and parameter name (`category`).\n1. `query3` uses a single string literal that includes a placeholder for a parameter, indicated by a question mark (`?`) and position number (`1`).\n1. `namedQuery1` is defined using the `@NamedQuery` annotation, whose `query` attribute is a string literal that includes a placeholder for a parameter, indicated by a colon (`:`) and parameter name (`category`).\n1. `namedQuery2` is defined using the `@NamedQuery` annotation, whose `query` attribute includes a placeholder for a parameter, indicated by a question mark (`?`) and position number (`1`).\nThe parameter is then given a value by calling `setParameter`. These versions are immune to injection attacks, because any special characters in the environment variable or user-supplied value are not given any special treatment.\n\n\n```java\n{\n    // BAD: the category might have Java Persistence Query Language special characters in it\n    String category = System.getenv(\"ITEM_CATEGORY\");\n    Statement statement = connection.createStatement();\n    String query1 = \"SELECT p FROM Product p WHERE p.category LIKE '\"\n        + category + \"' ORDER BY p.price\";\n    Query q = entityManager.createQuery(query1);\n}\n\n{\n    // GOOD: use a named parameter and set its value\n    String category = System.getenv(\"ITEM_CATEGORY\");\n    String query2 = \"SELECT p FROM Product p WHERE p.category LIKE :category ORDER BY p.price\"\n    Query q = entityManager.createQuery(query2);\n    q.setParameter(\"category\", category);\n}\n\n{\n    // GOOD: use a positional parameter and set its value\n    String category = System.getenv(\"ITEM_CATEGORY\");\n    String query3 = \"SELECT p FROM Product p WHERE p.category LIKE ?1 ORDER BY p.price\"\n    Query q = entityManager.createQuery(query3);\n    q.setParameter(1, category);\n}\n\n{\n    // GOOD: use a named query with a named parameter and set its value\n    @NamedQuery(\n            name=\"lookupByCategory\",\n            query=\"SELECT p FROM Product p WHERE p.category LIKE :category ORDER BY p.price\")\n    private static class NQ {}\n    ...\n    String category = System.getenv(\"ITEM_CATEGORY\");\n    Query namedQuery1 = entityManager.createNamedQuery(\"lookupByCategory\");\n    namedQuery1.setParameter(\"category\", category);\n}\n\n{\n    // GOOD: use a named query with a positional parameter and set its value\n    @NamedQuery(\n            name=\"lookupByCategory\",\n            query=\"SELECT p FROM Product p WHERE p.category LIKE ?1 ORDER BY p.price\")\n    private static class NQ {}\n    ...\n    String category = System.getenv(\"ITEM_CATEGORY\");\n    Query namedQuery2 = entityManager.createNamedQuery(\"lookupByCategory\");\n    namedQuery2.setParameter(1, category);\n}\n```\n\n## References\n* OWASP: [SQL Injection Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html).\n* SEI CERT Oracle Coding Standard for Java: [IDS00-J. Prevent SQL injection](https://wiki.sei.cmu.edu/confluence/display/java/IDS00-J.+Prevent+SQL+injection).\n* The Java Tutorials: [Using Prepared Statements](https://docs.oracle.com/javase/tutorial/jdbc/basics/prepared.html).\n* The Java EE Tutorial: [The Java Persistence Query Language](https://docs.oracle.com/javaee/7/tutorial/persistence-querylanguage.htm).\n* Common Weakness Enumeration: [CWE-89](https://cwe.mitre.org/data/definitions/89.html).\n* Common Weakness Enumeration: [CWE-564](https://cwe.mitre.org/data/definitions/564.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-089",
+                    "external/cwe/cwe-564",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-089/SqlTainted.ql",
+                  "precision": "high",
+                  "security-severity": "8.8"
+                }
+              },
+              {
+                "id": "java/ssrf",
+                "name": "java/ssrf",
+                "shortDescription": {
+                  "text": "Server-side request forgery"
+                },
+                "fullDescription": {
+                  "text": "Making web requests based on unvalidated user-input may cause the server to communicate with malicious servers."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Server-side request forgery\nDirectly incorporating user input into an HTTP request without validating the input can facilitate server-side request forgery (SSRF) attacks. In these attacks, the server may be tricked into making a request and interacting with an attacker-controlled server.\n\n\n## Recommendation\nTo guard against SSRF attacks, you should avoid putting user-provided input directly into a request URL. Instead, maintain a list of authorized URLs on the server; then choose from that list based on the input provided. Alternatively, ensure requests constructed from user input are limited to a particular host or more restrictive URL prefix.\n\n\n## Example\nThe following example shows an HTTP request parameter being used directly to form a new request without validating the input, which facilitates SSRF attacks. It also shows how to remedy the problem by validating the user input against a known fixed string.\n\n\n```java\nimport java.net.http.HttpClient;\n\npublic class SSRF extends HttpServlet {\n\tprivate static final String VALID_URI = \"http://lgtm.com\";\n\tprivate HttpClient client = HttpClient.newHttpClient();\n\n\tprotected void doGet(HttpServletRequest request, HttpServletResponse response)\n\t\tthrows ServletException, IOException {\n\t\tURI uri = new URI(request.getParameter(\"uri\"));\n\t\t// BAD: a request parameter is incorporated without validation into a Http request\n\t\tHttpRequest r = HttpRequest.newBuilder(uri).build();\n\t\tclient.send(r, null);\n\n\t\t// GOOD: the request parameter is validated against a known fixed string\n\t\tif (VALID_URI.equals(request.getParameter(\"uri\"))) {\n\t\t\tHttpRequest r2 = HttpRequest.newBuilder(uri).build();\n\t\t\tclient.send(r2, null);\n\t\t}\n\t}\n}\n\n```\n\n## References\n* [OWASP SSRF](https://owasp.org/www-community/attacks/Server_Side_Request_Forgery)\n* Common Weakness Enumeration: [CWE-918](https://cwe.mitre.org/data/definitions/918.html).\n",
+                  "markdown": "# Server-side request forgery\nDirectly incorporating user input into an HTTP request without validating the input can facilitate server-side request forgery (SSRF) attacks. In these attacks, the server may be tricked into making a request and interacting with an attacker-controlled server.\n\n\n## Recommendation\nTo guard against SSRF attacks, you should avoid putting user-provided input directly into a request URL. Instead, maintain a list of authorized URLs on the server; then choose from that list based on the input provided. Alternatively, ensure requests constructed from user input are limited to a particular host or more restrictive URL prefix.\n\n\n## Example\nThe following example shows an HTTP request parameter being used directly to form a new request without validating the input, which facilitates SSRF attacks. It also shows how to remedy the problem by validating the user input against a known fixed string.\n\n\n```java\nimport java.net.http.HttpClient;\n\npublic class SSRF extends HttpServlet {\n\tprivate static final String VALID_URI = \"http://lgtm.com\";\n\tprivate HttpClient client = HttpClient.newHttpClient();\n\n\tprotected void doGet(HttpServletRequest request, HttpServletResponse response)\n\t\tthrows ServletException, IOException {\n\t\tURI uri = new URI(request.getParameter(\"uri\"));\n\t\t// BAD: a request parameter is incorporated without validation into a Http request\n\t\tHttpRequest r = HttpRequest.newBuilder(uri).build();\n\t\tclient.send(r, null);\n\n\t\t// GOOD: the request parameter is validated against a known fixed string\n\t\tif (VALID_URI.equals(request.getParameter(\"uri\"))) {\n\t\t\tHttpRequest r2 = HttpRequest.newBuilder(uri).build();\n\t\t\tclient.send(r2, null);\n\t\t}\n\t}\n}\n\n```\n\n## References\n* [OWASP SSRF](https://owasp.org/www-community/attacks/Server_Side_Request_Forgery)\n* Common Weakness Enumeration: [CWE-918](https://cwe.mitre.org/data/definitions/918.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-918",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-918/RequestForgery.ql",
+                  "precision": "high",
+                  "security-severity": "9.1"
+                }
+              },
+              {
+                "id": "java/stack-trace-exposure",
+                "name": "java/stack-trace-exposure",
+                "shortDescription": {
+                  "text": "Information exposure through a stack trace"
+                },
+                "fullDescription": {
+                  "text": "Information from a stack trace propagates to an external user. Stack traces can unintentionally reveal implementation details that are useful to an attacker for developing a subsequent exploit."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Information exposure through a stack trace\nSoftware developers often add stack traces to error messages, as a debugging aid. Whenever that error message occurs for an end user, the developer can use the stack trace to help identify how to fix the problem. In particular, stack traces can tell the developer more about the sequence of events that led to a failure, as opposed to merely the final state of the software when the error occurred.\n\nUnfortunately, the same information can be useful to an attacker. The sequence of class names in a stack trace can reveal the structure of the application as well as any internal components it relies on.\n\n\n## Recommendation\nSend the user a more generic error message that reveals less information. Either suppress the stack trace entirely, or log it only on the server.\n\n\n## Example\nIn the following example, an exception is handled in two different ways. In the first version, labeled BAD, the exception is sent back to the remote user using the `sendError()` method. As such, the user is able to see a detailed stack trace, which may contain sensitive information. In the second version, the error message is logged only on the server. That way, the developers can still access and use the error log, but remote users will not see the information.\n\n\n```java\nprotected void doGet(HttpServletRequest request, HttpServletResponse response) {\n\ttry {\n\t\tdoSomeWork();\n\t} catch (NullPointerException ex) {\n\t\t// BAD: printing a stack trace back to the response\n\t\tex.printStackTrace(response.getWriter());\n\t\treturn;\n\t}\n\n\ttry {\n\t\tdoSomeWork();\n\t} catch (NullPointerException ex) {\n\t\t// GOOD: log the stack trace, and send back a non-revealing response\n\t\tlog(\"Exception occurred\", ex);\n\t\tresponse.sendError(\n\t\t\tHttpServletResponse.SC_INTERNAL_SERVER_ERROR,\n\t\t\t\"Exception occurred\");\n\t\treturn;\n\t}\n}\n\n```\n\n## References\n* OWASP: [Improper Error Handling](https://owasp.org/www-community/Improper_Error_Handling).\n* CERT Java Coding Standard: [ERR01-J. Do not allow exceptions to expose sensitive information](https://www.securecoding.cert.org/confluence/display/java/ERR01-J.+Do+not+allow+exceptions+to+expose+sensitive+information).\n* Common Weakness Enumeration: [CWE-209](https://cwe.mitre.org/data/definitions/209.html).\n* Common Weakness Enumeration: [CWE-497](https://cwe.mitre.org/data/definitions/497.html).\n",
+                  "markdown": "# Information exposure through a stack trace\nSoftware developers often add stack traces to error messages, as a debugging aid. Whenever that error message occurs for an end user, the developer can use the stack trace to help identify how to fix the problem. In particular, stack traces can tell the developer more about the sequence of events that led to a failure, as opposed to merely the final state of the software when the error occurred.\n\nUnfortunately, the same information can be useful to an attacker. The sequence of class names in a stack trace can reveal the structure of the application as well as any internal components it relies on.\n\n\n## Recommendation\nSend the user a more generic error message that reveals less information. Either suppress the stack trace entirely, or log it only on the server.\n\n\n## Example\nIn the following example, an exception is handled in two different ways. In the first version, labeled BAD, the exception is sent back to the remote user using the `sendError()` method. As such, the user is able to see a detailed stack trace, which may contain sensitive information. In the second version, the error message is logged only on the server. That way, the developers can still access and use the error log, but remote users will not see the information.\n\n\n```java\nprotected void doGet(HttpServletRequest request, HttpServletResponse response) {\n\ttry {\n\t\tdoSomeWork();\n\t} catch (NullPointerException ex) {\n\t\t// BAD: printing a stack trace back to the response\n\t\tex.printStackTrace(response.getWriter());\n\t\treturn;\n\t}\n\n\ttry {\n\t\tdoSomeWork();\n\t} catch (NullPointerException ex) {\n\t\t// GOOD: log the stack trace, and send back a non-revealing response\n\t\tlog(\"Exception occurred\", ex);\n\t\tresponse.sendError(\n\t\t\tHttpServletResponse.SC_INTERNAL_SERVER_ERROR,\n\t\t\t\"Exception occurred\");\n\t\treturn;\n\t}\n}\n\n```\n\n## References\n* OWASP: [Improper Error Handling](https://owasp.org/www-community/Improper_Error_Handling).\n* CERT Java Coding Standard: [ERR01-J. Do not allow exceptions to expose sensitive information](https://www.securecoding.cert.org/confluence/display/java/ERR01-J.+Do+not+allow+exceptions+to+expose+sensitive+information).\n* Common Weakness Enumeration: [CWE-209](https://cwe.mitre.org/data/definitions/209.html).\n* Common Weakness Enumeration: [CWE-497](https://cwe.mitre.org/data/definitions/497.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-209",
+                    "external/cwe/cwe-497",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-209/StackTraceExposure.ql",
+                  "precision": "high",
+                  "security-severity": "5.4"
+                }
+              },
+              {
+                "id": "java/static-initialization-vector",
+                "name": "java/static-initialization-vector",
+                "shortDescription": {
+                  "text": "Using a static initialization vector for encryption"
+                },
+                "fullDescription": {
+                  "text": "An initialization vector (IV) used for ciphers of certain modes (such as CBC or GCM) should be unique and unpredictable, to maximize encryption and prevent dictionary attacks."
+                },
+                "defaultConfiguration": {},
+                "help": {
+                  "text": "# Using a static initialization vector for encryption\nWhen a cipher is used in certain modes such as CBC or GCM, it requires an initialization vector (IV). Under the same secret key, IVs should be unique and ideally unpredictable. If the same IV is used with the same secret key, then the same plaintext results in the same ciphertext. This can let an attacker learn if the same data pieces are transferred or stored, or help the attacker run a dictionary attack.\n\n\n## Recommendation\nUse a random IV generated by `SecureRandom`.\n\n\n## Example\nThe following example initializes a cipher with a static IV, which is unsafe:\n\n\n```java\nbyte[] iv = new byte[16]; // all zeroes\nGCMParameterSpec params = new GCMParameterSpec(128, iv);\nCipher cipher = Cipher.getInstance(\"AES/GCM/PKCS5PADDING\");\ncipher.init(Cipher.ENCRYPT_MODE, key, params);\n```\nThe next example initializes a cipher with a random IV:\n\n\n```java\nbyte[] iv = new byte[16];\nSecureRandom random = SecureRandom.getInstanceStrong();\nrandom.nextBytes(iv);\nGCMParameterSpec params = new GCMParameterSpec(128, iv);\nCipher cipher = Cipher.getInstance(\"AES/GCM/PKCS5PADDING\");\ncipher.init(Cipher.ENCRYPT_MODE, key, params);\n```\n\n## References\n* Wikipedia: [Initialization vector](https://en.wikipedia.org/wiki/Initialization_vector).\n* National Institute of Standards and Technology: [Recommendation for Block Cipher Modes of Operation](https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38a.pdf).\n* National Institute of Standards and Technology: [FIPS 140-2: Security Requirements for Cryptographic Modules](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf).\n* Common Weakness Enumeration: [CWE-329](https://cwe.mitre.org/data/definitions/329.html).\n* Common Weakness Enumeration: [CWE-1204](https://cwe.mitre.org/data/definitions/1204.html).\n",
+                  "markdown": "# Using a static initialization vector for encryption\nWhen a cipher is used in certain modes such as CBC or GCM, it requires an initialization vector (IV). Under the same secret key, IVs should be unique and ideally unpredictable. If the same IV is used with the same secret key, then the same plaintext results in the same ciphertext. This can let an attacker learn if the same data pieces are transferred or stored, or help the attacker run a dictionary attack.\n\n\n## Recommendation\nUse a random IV generated by `SecureRandom`.\n\n\n## Example\nThe following example initializes a cipher with a static IV, which is unsafe:\n\n\n```java\nbyte[] iv = new byte[16]; // all zeroes\nGCMParameterSpec params = new GCMParameterSpec(128, iv);\nCipher cipher = Cipher.getInstance(\"AES/GCM/PKCS5PADDING\");\ncipher.init(Cipher.ENCRYPT_MODE, key, params);\n```\nThe next example initializes a cipher with a random IV:\n\n\n```java\nbyte[] iv = new byte[16];\nSecureRandom random = SecureRandom.getInstanceStrong();\nrandom.nextBytes(iv);\nGCMParameterSpec params = new GCMParameterSpec(128, iv);\nCipher cipher = Cipher.getInstance(\"AES/GCM/PKCS5PADDING\");\ncipher.init(Cipher.ENCRYPT_MODE, key, params);\n```\n\n## References\n* Wikipedia: [Initialization vector](https://en.wikipedia.org/wiki/Initialization_vector).\n* National Institute of Standards and Technology: [Recommendation for Block Cipher Modes of Operation](https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38a.pdf).\n* National Institute of Standards and Technology: [FIPS 140-2: Security Requirements for Cryptographic Modules](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf).\n* Common Weakness Enumeration: [CWE-329](https://cwe.mitre.org/data/definitions/329.html).\n* Common Weakness Enumeration: [CWE-1204](https://cwe.mitre.org/data/definitions/1204.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-1204",
+                    "external/cwe/cwe-329",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-1204/StaticInitializationVector.ql",
+                  "precision": "high",
+                  "security-severity": "7.5"
+                }
+              },
+              {
+                "id": "java/summary/lines-of-code",
+                "name": "java/summary/lines-of-code",
+                "shortDescription": {
+                  "text": "Total lines of Java/Kotlin code in the database"
+                },
+                "fullDescription": {
+                  "text": "The total number of lines of code across all Java and Kotlin files. This is a useful metric of the size of a database. For all source files that were seen during the build, this query counts the lines of code, excluding whitespace or comments."
+                },
+                "defaultConfiguration": {},
+                "properties": {
+                  "tags": [
+                    "debug",
+                    "lines-of-code",
+                    "summary"
+                  ]
+                }
+              },
+              {
+                "id": "java/summary/lines-of-code-java",
+                "name": "java/summary/lines-of-code-java",
+                "shortDescription": {
+                  "text": "Total lines of Java code in the database"
+                },
+                "fullDescription": {
+                  "text": "The total number of lines of code across all Java files. This is a useful metric of the size of a database. For all Java files that were seen during the build, this query counts the lines of code, excluding whitespace or comments."
+                },
+                "defaultConfiguration": {},
+                "properties": {
+                  "tags": [
+                    "debug",
+                    "summary"
+                  ]
+                }
+              },
+              {
+                "id": "java/summary/lines-of-code-kotlin",
+                "name": "java/summary/lines-of-code-kotlin",
+                "shortDescription": {
+                  "text": "Total lines of Kotlin code in the database"
+                },
+                "fullDescription": {
+                  "text": "The total number of lines of code across all Kotlin files. This is a useful metric of the size of a database. For all Kotlin files that were seen during the build, this query counts the lines of code, excluding whitespace or comments."
+                },
+                "defaultConfiguration": {},
+                "properties": {
+                  "tags": [
+                    "debug",
+                    "summary"
+                  ]
+                }
+              },
+              {
+                "id": "java/tainted-format-string",
+                "name": "java/tainted-format-string",
+                "shortDescription": {
+                  "text": "Use of externally-controlled format string"
+                },
+                "fullDescription": {
+                  "text": "Using external input in format strings can lead to exceptions or information leaks."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Use of externally-controlled format string\nThe `String.format` method and related methods, like `PrintStream.printf` and `Formatter.format`, all accept a format string that is used to format the trailing arguments to the format call by providing inline format specifiers. If the format string contains unsanitized input from an untrusted source, then that string may contain extra format specifiers that cause an exception to be thrown or information to be leaked.\n\nThe Java standard library implementation for the format methods throws an exception if either the format specifier does not match the type of the argument, or if there are too few or too many arguments. If unsanitized input is used in the format string, it may contain invalid extra format specifiers which cause an exception to be thrown.\n\nPositional format specifiers may be used to access an argument to the format call by position. Unsanitized input in the format string may use a positional format specifier to access information that was not intended to be visible. For example, when formatting a Calendar instance we may intend to print only the year, but a user-specified format string may include a specifier to access the month and day.\n\n\n## Recommendation\nIf the argument passed as a format string is meant to be a plain string rather than a format string, then pass `%s` as the format string, and pass the original argument as the sole trailing argument.\n\n\n## Example\nThe following program is meant to check a card security code for a stored credit card:\n\n\n```java\npublic class ResponseSplitting extends HttpServlet {\n  protected void doGet(HttpServletRequest request, HttpServletResponse response)\n  throws ServletException, IOException {\n    Calendar expirationDate = new GregorianCalendar(2017, GregorianCalendar.SEPTEMBER, 1);\n    // User provided value\n    String cardSecurityCode = request.getParameter(\"cardSecurityCode\");\n    \n    if (notValid(cardSecurityCode)) {\n      \n      /*\n       * BAD: user provided value is included in the format string.\n       * A malicious user could provide an extra format specifier, which causes an\n       * exception to be thrown. Or they could provide a %1$tm or %1$te format specifier to\n       * access the month or day of the expiration date.\n       */\n      System.out.format(cardSecurityCode +\n                          \" is not the right value. Hint: the card expires in %1$ty.\",\n                        expirationDate);\n      \n      // GOOD: %s is used to include the user-provided cardSecurityCode in the output\n      System.out.format(\"%s is not the right value. Hint: the card expires in %2$ty.\",\n                        cardSecurityCode,\n                        expirationDate);\n    }\n\n  }\n}\n```\nHowever, in the first format call it uses the cardSecurityCode provided by the user in a format string. If the user includes a format specifier in the cardSecurityCode field, they may be able to cause an exception to be thrown, or to be able to access extra information about the stored card expiration date.\n\nThe second format call shows the correct approach. The user-provided value is passed as an argument to the format call. This prevents any format specifiers in the user provided value from being evaluated.\n\n\n## References\n* SEI CERT Oracle Coding Standard for Java: [IDS06-J. Exclude unsanitized user input from format strings](https://wiki.sei.cmu.edu/confluence/display/java/IDS06-J.+Exclude+unsanitized+user+input+from+format+strings).\n* The Java Tutorials: [Formatting Numeric Print Output](https://docs.oracle.com/javase/tutorial/java/data/numberformat.html).\n* Java API Specification: [Formatter](https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/util/Formatter.html).\n* Common Weakness Enumeration: [CWE-134](https://cwe.mitre.org/data/definitions/134.html).\n",
+                  "markdown": "# Use of externally-controlled format string\nThe `String.format` method and related methods, like `PrintStream.printf` and `Formatter.format`, all accept a format string that is used to format the trailing arguments to the format call by providing inline format specifiers. If the format string contains unsanitized input from an untrusted source, then that string may contain extra format specifiers that cause an exception to be thrown or information to be leaked.\n\nThe Java standard library implementation for the format methods throws an exception if either the format specifier does not match the type of the argument, or if there are too few or too many arguments. If unsanitized input is used in the format string, it may contain invalid extra format specifiers which cause an exception to be thrown.\n\nPositional format specifiers may be used to access an argument to the format call by position. Unsanitized input in the format string may use a positional format specifier to access information that was not intended to be visible. For example, when formatting a Calendar instance we may intend to print only the year, but a user-specified format string may include a specifier to access the month and day.\n\n\n## Recommendation\nIf the argument passed as a format string is meant to be a plain string rather than a format string, then pass `%s` as the format string, and pass the original argument as the sole trailing argument.\n\n\n## Example\nThe following program is meant to check a card security code for a stored credit card:\n\n\n```java\npublic class ResponseSplitting extends HttpServlet {\n  protected void doGet(HttpServletRequest request, HttpServletResponse response)\n  throws ServletException, IOException {\n    Calendar expirationDate = new GregorianCalendar(2017, GregorianCalendar.SEPTEMBER, 1);\n    // User provided value\n    String cardSecurityCode = request.getParameter(\"cardSecurityCode\");\n    \n    if (notValid(cardSecurityCode)) {\n      \n      /*\n       * BAD: user provided value is included in the format string.\n       * A malicious user could provide an extra format specifier, which causes an\n       * exception to be thrown. Or they could provide a %1$tm or %1$te format specifier to\n       * access the month or day of the expiration date.\n       */\n      System.out.format(cardSecurityCode +\n                          \" is not the right value. Hint: the card expires in %1$ty.\",\n                        expirationDate);\n      \n      // GOOD: %s is used to include the user-provided cardSecurityCode in the output\n      System.out.format(\"%s is not the right value. Hint: the card expires in %2$ty.\",\n                        cardSecurityCode,\n                        expirationDate);\n    }\n\n  }\n}\n```\nHowever, in the first format call it uses the cardSecurityCode provided by the user in a format string. If the user includes a format specifier in the cardSecurityCode field, they may be able to cause an exception to be thrown, or to be able to access extra information about the stored card expiration date.\n\nThe second format call shows the correct approach. The user-provided value is passed as an argument to the format call. This prevents any format specifiers in the user provided value from being evaluated.\n\n\n## References\n* SEI CERT Oracle Coding Standard for Java: [IDS06-J. Exclude unsanitized user input from format strings](https://wiki.sei.cmu.edu/confluence/display/java/IDS06-J.+Exclude+unsanitized+user+input+from+format+strings).\n* The Java Tutorials: [Formatting Numeric Print Output](https://docs.oracle.com/javase/tutorial/java/data/numberformat.html).\n* Java API Specification: [Formatter](https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/util/Formatter.html).\n* Common Weakness Enumeration: [CWE-134](https://cwe.mitre.org/data/definitions/134.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-134",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-134/ExternallyControlledFormatString.ql",
+                  "precision": "high",
+                  "security-severity": "9.3"
+                }
+              },
+              {
+                "id": "java/tainted-numeric-cast",
+                "name": "java/tainted-numeric-cast",
+                "shortDescription": {
+                  "text": "User-controlled data in numeric cast"
+                },
+                "fullDescription": {
+                  "text": "Casting user-controlled numeric data to a narrower type without validation can cause unexpected truncation."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# User-controlled data in numeric cast\nCasting a user-controlled numeric value to a narrower type can result in truncated values unless the input is validated.\n\nNarrowing conversions may cause potentially unintended results. For example, casting the positive integer value `128` to type `byte` yields the negative value `-128`.\n\n\n## Recommendation\nGuard against unexpected truncation of user-controlled arithmetic data by doing one of the following:\n\n* Validate the user input.\n* Define a guard on the cast expression, so that the cast is performed only if the input is known to be within the range of the resulting type.\n* Avoid casting to a narrower type, and instead continue to use a wider type.\n\n## Example\nIn this example, a value is read from standard input into a `long`. Because the value is a user-controlled value, it could be extremely large. Casting this value to a narrower type could therefore cause unexpected truncation. The `scaled2` example uses a guard to avoid this problem and checks the range of the input before performing the cast. If the value is too large to cast to type `int` it is rejected as invalid.\n\n\n```java\nclass Test {\n\tpublic static void main(String[] args) throws IOException {\n\t\t{\n\t\t\tlong data;\n\n\t\t\tBufferedReader readerBuffered = new BufferedReader(\n\t\t\t\t\tnew InputStreamReader(System.in, \"UTF-8\"));\n\t\t\tString stringNumber = readerBuffered.readLine();\n\t\t\tif (stringNumber != null) {\n\t\t\t\tdata = Long.parseLong(stringNumber.trim());\n\t\t\t} else {\n\t\t\t\tdata = 0;\n\t\t\t}\n\n\t\t\t// AVOID: potential truncation if input data is very large,\n\t\t\t// for example 'Long.MAX_VALUE'\n\t\t\tint scaled = (int)data;\n\n\t\t\t//...\n\n\t\t\t// GOOD: use a guard to ensure no truncation occurs\n\t\t\tint scaled2;\n\t\t\tif (data > Integer.MIN_VALUE && data < Integer.MAX_VALUE)\n\t\t\t\tscaled2 = (int)data;\n\t\t\telse\n\t\t\t\tthrow new IllegalArgumentException(\"Invalid input\");\n\t\t}\n\t}\n}\n```\n\n## References\n* SEI CERT Oracle Coding Standard for Java: [NUM12-J. Ensure conversions of numeric types to narrower types do not result in lost or misinterpreted data](https://wiki.sei.cmu.edu/confluence/display/java/NUM12-J.+Ensure+conversions+of+numeric+types+to+narrower+types+do+not+result+in+lost+or+misinterpreted+data).\n* Common Weakness Enumeration: [CWE-197](https://cwe.mitre.org/data/definitions/197.html).\n* Common Weakness Enumeration: [CWE-681](https://cwe.mitre.org/data/definitions/681.html).\n",
+                  "markdown": "# User-controlled data in numeric cast\nCasting a user-controlled numeric value to a narrower type can result in truncated values unless the input is validated.\n\nNarrowing conversions may cause potentially unintended results. For example, casting the positive integer value `128` to type `byte` yields the negative value `-128`.\n\n\n## Recommendation\nGuard against unexpected truncation of user-controlled arithmetic data by doing one of the following:\n\n* Validate the user input.\n* Define a guard on the cast expression, so that the cast is performed only if the input is known to be within the range of the resulting type.\n* Avoid casting to a narrower type, and instead continue to use a wider type.\n\n## Example\nIn this example, a value is read from standard input into a `long`. Because the value is a user-controlled value, it could be extremely large. Casting this value to a narrower type could therefore cause unexpected truncation. The `scaled2` example uses a guard to avoid this problem and checks the range of the input before performing the cast. If the value is too large to cast to type `int` it is rejected as invalid.\n\n\n```java\nclass Test {\n\tpublic static void main(String[] args) throws IOException {\n\t\t{\n\t\t\tlong data;\n\n\t\t\tBufferedReader readerBuffered = new BufferedReader(\n\t\t\t\t\tnew InputStreamReader(System.in, \"UTF-8\"));\n\t\t\tString stringNumber = readerBuffered.readLine();\n\t\t\tif (stringNumber != null) {\n\t\t\t\tdata = Long.parseLong(stringNumber.trim());\n\t\t\t} else {\n\t\t\t\tdata = 0;\n\t\t\t}\n\n\t\t\t// AVOID: potential truncation if input data is very large,\n\t\t\t// for example 'Long.MAX_VALUE'\n\t\t\tint scaled = (int)data;\n\n\t\t\t//...\n\n\t\t\t// GOOD: use a guard to ensure no truncation occurs\n\t\t\tint scaled2;\n\t\t\tif (data > Integer.MIN_VALUE && data < Integer.MAX_VALUE)\n\t\t\t\tscaled2 = (int)data;\n\t\t\telse\n\t\t\t\tthrow new IllegalArgumentException(\"Invalid input\");\n\t\t}\n\t}\n}\n```\n\n## References\n* SEI CERT Oracle Coding Standard for Java: [NUM12-J. Ensure conversions of numeric types to narrower types do not result in lost or misinterpreted data](https://wiki.sei.cmu.edu/confluence/display/java/NUM12-J.+Ensure+conversions+of+numeric+types+to+narrower+types+do+not+result+in+lost+or+misinterpreted+data).\n* Common Weakness Enumeration: [CWE-197](https://cwe.mitre.org/data/definitions/197.html).\n* Common Weakness Enumeration: [CWE-681](https://cwe.mitre.org/data/definitions/681.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-197",
+                    "external/cwe/cwe-681",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-681/NumericCastTainted.ql",
+                  "precision": "high",
+                  "security-severity": "9"
+                }
+              },
+              {
+                "id": "java/tainted-permissions-check",
+                "name": "java/tainted-permissions-check",
+                "shortDescription": {
+                  "text": "User-controlled data used in permissions check"
+                },
+                "fullDescription": {
+                  "text": "Using user-controlled data in a permissions check may result in inappropriate permissions being granted."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# User-controlled data used in permissions check\nUsing user-controlled data in a permissions check may allow a user to gain unauthorized access to protected functionality or data.\n\n\n## Recommendation\nWhen checking whether a user is authorized for a particular activity, do not use data that is controlled by that user in the permissions check. If necessary, always validate the input, ideally against a fixed list of expected values.\n\nSimilarly, do not decide which permission to check for based on user data. In particular, avoid using computation to decide which permissions to check for. Use fixed permissions for particular actions, rather than generating the permission to check for.\n\n\n## Example\nThis example, using the Apache Shiro security framework, shows two ways to specify the permissions to check. The first way uses a string, `whatDoTheyWantToDo`, to specify the permissions to check. However, this string is built from user input. This can allow an attacker to force a check against a permission that they know they have, rather than the permission that should be checked. For example, while trying to access the account details of another user, the attacker could force the system to check whether they had permissions to access their *own* account details, which is incorrect, and would allow them to perform the action. The second, more secure way uses a fixed check that does not depend on data that is controlled by the user.\n\n\n```java\npublic static void main(String[] args) {\n\tString whatDoTheyWantToDo = args[0];\n\tSubject subject = SecurityUtils.getSubject();\n\n\t// BAD: permissions decision made using tainted data\n\tif(subject.isPermitted(\"domain:sublevel:\" + whatDoTheyWantToDo))\n\t\tdoIt();\n\n\t// GOOD: use fixed checks\n\tif(subject.isPermitted(\"domain:sublevel:whatTheMethodDoes\"))\n\t\tdoIt();\n}\n```\n\n## References\n* SEI CERT Oracle Coding Standard for Java: [SEC02-J. Do not base security checks on untrusted sources](https://wiki.sei.cmu.edu/confluence/display/java/SEC02-J.+Do+not+base+security+checks+on+untrusted+sources).\n* Common Weakness Enumeration: [CWE-807](https://cwe.mitre.org/data/definitions/807.html).\n* Common Weakness Enumeration: [CWE-290](https://cwe.mitre.org/data/definitions/290.html).\n",
+                  "markdown": "# User-controlled data used in permissions check\nUsing user-controlled data in a permissions check may allow a user to gain unauthorized access to protected functionality or data.\n\n\n## Recommendation\nWhen checking whether a user is authorized for a particular activity, do not use data that is controlled by that user in the permissions check. If necessary, always validate the input, ideally against a fixed list of expected values.\n\nSimilarly, do not decide which permission to check for based on user data. In particular, avoid using computation to decide which permissions to check for. Use fixed permissions for particular actions, rather than generating the permission to check for.\n\n\n## Example\nThis example, using the Apache Shiro security framework, shows two ways to specify the permissions to check. The first way uses a string, `whatDoTheyWantToDo`, to specify the permissions to check. However, this string is built from user input. This can allow an attacker to force a check against a permission that they know they have, rather than the permission that should be checked. For example, while trying to access the account details of another user, the attacker could force the system to check whether they had permissions to access their *own* account details, which is incorrect, and would allow them to perform the action. The second, more secure way uses a fixed check that does not depend on data that is controlled by the user.\n\n\n```java\npublic static void main(String[] args) {\n\tString whatDoTheyWantToDo = args[0];\n\tSubject subject = SecurityUtils.getSubject();\n\n\t// BAD: permissions decision made using tainted data\n\tif(subject.isPermitted(\"domain:sublevel:\" + whatDoTheyWantToDo))\n\t\tdoIt();\n\n\t// GOOD: use fixed checks\n\tif(subject.isPermitted(\"domain:sublevel:whatTheMethodDoes\"))\n\t\tdoIt();\n}\n```\n\n## References\n* SEI CERT Oracle Coding Standard for Java: [SEC02-J. Do not base security checks on untrusted sources](https://wiki.sei.cmu.edu/confluence/display/java/SEC02-J.+Do+not+base+security+checks+on+untrusted+sources).\n* Common Weakness Enumeration: [CWE-807](https://cwe.mitre.org/data/definitions/807.html).\n* Common Weakness Enumeration: [CWE-290](https://cwe.mitre.org/data/definitions/290.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-290",
+                    "external/cwe/cwe-807",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-807/TaintedPermissionsCheck.ql",
+                  "precision": "high",
+                  "security-severity": "7.8"
+                }
+              },
+              {
+                "id": "java/telemetry/external-libs",
+                "name": "java/telemetry/external-libs",
+                "shortDescription": {
+                  "text": "External libraries"
+                },
+                "fullDescription": {
+                  "text": "A list of external libraries used in the code"
+                },
+                "defaultConfiguration": {},
+                "properties": {
+                  "tags": [
+                    "summary",
+                    "telemetry"
+                  ]
+                }
+              },
+              {
+                "id": "java/telemetry/extraction-information",
+                "name": "java/telemetry/extraction-information",
+                "shortDescription": {
+                  "text": "Java extraction information"
+                },
+                "fullDescription": {
+                  "text": "Information about the extraction for a Java database"
+                },
+                "defaultConfiguration": {},
+                "properties": {
+                  "tags": [
+                    "summary",
+                    "telemetry"
+                  ]
+                }
+              },
+              {
+                "id": "java/telemetry/supported-external-api",
+                "name": "java/telemetry/supported-external-api",
+                "shortDescription": {
+                  "text": "Usage of supported APIs coming from external libraries"
+                },
+                "fullDescription": {
+                  "text": "A list of supported 3rd party APIs used in the codebase. Excludes test and generated code."
+                },
+                "defaultConfiguration": {},
+                "properties": {
+                  "tags": [
+                    "summary",
+                    "telemetry"
+                  ]
+                }
+              },
+              {
+                "id": "java/telemetry/supported-external-api-sinks",
+                "name": "java/telemetry/supported-external-api-sinks",
+                "shortDescription": {
+                  "text": "Supported sinks in external libraries"
+                },
+                "fullDescription": {
+                  "text": "A list of 3rd party APIs detected as sinks. Excludes test and generated code."
+                },
+                "defaultConfiguration": {},
+                "properties": {
+                  "tags": [
+                    "summary",
+                    "telemetry"
+                  ]
+                }
+              },
+              {
+                "id": "java/telemetry/supported-external-api-sources",
+                "name": "java/telemetry/supported-external-api-sources",
+                "shortDescription": {
+                  "text": "Supported sources in external libraries"
+                },
+                "fullDescription": {
+                  "text": "A list of 3rd party APIs detected as sources. Excludes test and generated code."
+                },
+                "defaultConfiguration": {},
+                "properties": {
+                  "tags": [
+                    "summary",
+                    "telemetry"
+                  ]
+                }
+              },
+              {
+                "id": "java/telemetry/supported-external-api-taint",
+                "name": "java/telemetry/supported-external-api-taint",
+                "shortDescription": {
+                  "text": "Supported flow steps in external libraries"
+                },
+                "fullDescription": {
+                  "text": "A list of 3rd party APIs detected as flow steps. Excludes test and generated code."
+                },
+                "defaultConfiguration": {},
+                "properties": {
+                  "tags": [
+                    "summary",
+                    "telemetry"
+                  ]
+                }
+              },
+              {
+                "id": "java/telemetry/unsupported-external-api",
+                "name": "java/telemetry/unsupported-external-api",
+                "shortDescription": {
+                  "text": "Usage of unsupported APIs coming from external libraries"
+                },
+                "fullDescription": {
+                  "text": "A list of 3rd party APIs used in the codebase. Excludes test and generated code."
+                },
+                "defaultConfiguration": {},
+                "properties": {
+                  "tags": [
+                    "summary",
+                    "telemetry"
+                  ]
+                }
+              },
+              {
+                "id": "java/unsafe-deserialization",
+                "name": "java/unsafe-deserialization",
+                "shortDescription": {
+                  "text": "Deserialization of user-controlled data"
+                },
+                "fullDescription": {
+                  "text": "Deserializing user-controlled data may allow attackers to execute arbitrary code."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Deserialization of user-controlled data\nDeserializing untrusted data using any deserialization framework that allows the construction of arbitrary serializable objects is easily exploitable and in many cases allows an attacker to execute arbitrary code. Even before a deserialized object is returned to the caller of a deserialization method a lot of code may have been executed, including static initializers, constructors, and finalizers. Automatic deserialization of fields means that an attacker may craft a nested combination of objects on which the executed initialization code may have unforeseen effects, such as the execution of arbitrary code.\n\nThere are many different serialization frameworks. This query currently supports Kryo, XmlDecoder, XStream, SnakeYaml, JYaml, JsonIO, YAMLBeans, HessianBurlap, Castor, Burlap, Jackson, Jabsorb, Jodd JSON, Flexjson, Gson, JMS, and Java IO serialization through `ObjectInputStream`/`ObjectOutputStream`.\n\n\n## Recommendation\nAvoid deserialization of untrusted data if at all possible. If the architecture permits it then use other formats instead of serialized objects, for example JSON or XML. However, these formats should not be deserialized into complex objects because this provides further opportunities for attack. For example, XML-based deserialization attacks are possible through libraries such as XStream and XmlDecoder.\n\nAlternatively, a tightly controlled whitelist can limit the vulnerability of code, but be aware of the existence of so-called Bypass Gadgets, which can circumvent such protection measures.\n\nRecommendations specific to particular frameworks supported by this query:\n\n**FastJson** - `com.alibaba:fastjson`\n\n* **Secure by Default**: Partially\n* **Recommendation**: Call `com.alibaba.fastjson.parser.ParserConfig#setSafeMode` with the argument `true` before deserializing untrusted data.\n\n\n**FasterXML** - `com.fasterxml.jackson.core:jackson-databind`\n\n* **Secure by Default**: Yes\n* **Recommendation**: Don't call `com.fasterxml.jackson.databind.ObjectMapper#enableDefaultTyping` and don't annotate any object fields with `com.fasterxml.jackson.annotation.JsonTypeInfo` passing either the `CLASS` or `MINIMAL_CLASS` values to the annotation. Read [this guide](https://cowtowncoder.medium.com/jackson-2-10-safe-default-typing-2d018f0ce2ba).\n\n\n**Kryo** - `com.esotericsoftware:kryo` and `com.esotericsoftware:kryo5`\n\n* **Secure by Default**: Yes for `com.esotericsoftware:kryo5` and for `com.esotericsoftware:kryo` >= v5.0.0\n* **Recommendation**: Don't call `com.esotericsoftware.kryo(5).Kryo#setRegistrationRequired` with the argument `false` on any `Kryo` instance that may deserialize untrusted data.\n\n\n**ObjectInputStream** - `Java Standard Library`\n\n* **Secure by Default**: No\n* **Recommendation**: Use a validating input stream, such as `org.apache.commons.io.serialization.ValidatingObjectInputStream`.\n\n\n**SnakeYAML** - `org.yaml:snakeyaml`\n\n* **Secure by Default**: No\n* **Recommendation**: Pass an instance of `org.yaml.snakeyaml.constructor.SafeConstructor` to `org.yaml.snakeyaml.Yaml`'s constructor before using it to deserialize untrusted data.\n\n\n**XML Decoder** - `Standard Java Library`\n\n* **Secure by Default**: No\n* **Recommendation**: Do not use with untrusted user input.\n\n\n**ObjectMesssage** - `Java EE/Jakarta EE`\n\n* **Secure by Default**: Depends on the JMS implementation.\n* **Recommendation**: Do not use with untrusted user input.\n\n\n\n## Example\nThe following example calls `readObject` directly on an `ObjectInputStream` that is constructed from untrusted data, and is therefore inherently unsafe.\n\n\n```java\npublic MyObject {\n  public int field;\n  MyObject(int field) {\n    this.field = field;\n  }\n}\n\npublic MyObject deserialize(Socket sock) {\n  try(ObjectInputStream in = new ObjectInputStream(sock.getInputStream())) {\n    return (MyObject)in.readObject(); // unsafe\n  }\n}\n\n```\nRewriting the communication protocol to only rely on reading primitive types from the input stream removes the vulnerability.\n\n\n```java\npublic MyObject deserialize(Socket sock) {\n  try(DataInputStream in = new DataInputStream(sock.getInputStream())) {\n    return new MyObject(in.readInt());\n  }\n}\n\n```\n\n## References\n* OWASP vulnerability description: [Deserialization of untrusted data](https://www.owasp.org/index.php/Deserialization_of_untrusted_data).\n* OWASP guidance on deserializing objects: [Deserialization Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html).\n* Talks by Chris Frohoff & Gabriel Lawrence: [ AppSecCali 2015: Marshalling Pickles - how deserializing objects will ruin your day](http://frohoff.github.io/appseccali-marshalling-pickles/), [OWASP SD: Deserialize My Shorts: Or How I Learned to Start Worrying and Hate Java Object Deserialization](http://frohoff.github.io/owaspsd-deserialize-my-shorts/).\n* Alvaro Muñoz & Christian Schneider, RSAConference 2016: [Serial Killer: Silently Pwning Your Java Endpoints](https://speakerdeck.com/pwntester/serial-killer-silently-pwning-your-java-endpoints).\n* SnakeYaml documentation on deserialization: [SnakeYaml deserialization](https://bitbucket.org/snakeyaml/snakeyaml/wiki/Documentation#markdown-header-loading-yaml).\n* Hessian deserialization and related gadget chains: [Hessian deserialization](https://paper.seebug.org/1137/).\n* Castor and Hessian java deserialization vulnerabilities: [Castor and Hessian deserialization](https://securitylab.github.com/research/hessian-java-deserialization-castor-vulnerabilities/).\n* Remote code execution in JYaml library: [JYaml deserialization](https://www.cybersecurity-help.cz/vdb/SB2020022512).\n* JsonIO deserialization vulnerabilities: [JsonIO deserialization](https://klezvirus.github.io/Advanced-Web-Hacking/Serialisation/).\n* Research by Moritz Bechler: [Java Unmarshaller Security - Turning your data into code execution](https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true)\n* Blog posts by the developer of Jackson libraries: [On Jackson CVEs: Don’t Panic — Here is what you need to know](https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062) [Jackson 2.10: Safe Default Typing](https://cowtowncoder.medium.com/jackson-2-10-safe-default-typing-2d018f0ce2ba)\n* Jabsorb documentation on deserialization: [Jabsorb JSON Serializer](https://github.com/Servoy/jabsorb/blob/master/src/org/jabsorb/).\n* Jodd JSON documentation on deserialization: [JoddJson Parser](https://json.jodd.org/parser).\n* RCE in Flexjson: [Flexjson deserialization](https://codewhitesec.blogspot.com/2020/03/liferay-portal-json-vulns.html).\n* Android Intent deserialization vulnerabilities with GSON parser: [Insecure use of JSON parsers](https://blog.oversecured.com/Exploiting-memory-corruption-vulnerabilities-on-Android/#insecure-use-of-json-parsers).\n* Research by Matthias Kaiser: [Pwning Your Java Messaging With Deserialization Vulnerabilities](https://www.blackhat.com/docs/us-16/materials/us-16-Kaiser-Pwning-Your-Java-Messaging-With-Deserialization-Vulnerabilities.pdf).\n* Common Weakness Enumeration: [CWE-502](https://cwe.mitre.org/data/definitions/502.html).\n",
+                  "markdown": "# Deserialization of user-controlled data\nDeserializing untrusted data using any deserialization framework that allows the construction of arbitrary serializable objects is easily exploitable and in many cases allows an attacker to execute arbitrary code. Even before a deserialized object is returned to the caller of a deserialization method a lot of code may have been executed, including static initializers, constructors, and finalizers. Automatic deserialization of fields means that an attacker may craft a nested combination of objects on which the executed initialization code may have unforeseen effects, such as the execution of arbitrary code.\n\nThere are many different serialization frameworks. This query currently supports Kryo, XmlDecoder, XStream, SnakeYaml, JYaml, JsonIO, YAMLBeans, HessianBurlap, Castor, Burlap, Jackson, Jabsorb, Jodd JSON, Flexjson, Gson, JMS, and Java IO serialization through `ObjectInputStream`/`ObjectOutputStream`.\n\n\n## Recommendation\nAvoid deserialization of untrusted data if at all possible. If the architecture permits it then use other formats instead of serialized objects, for example JSON or XML. However, these formats should not be deserialized into complex objects because this provides further opportunities for attack. For example, XML-based deserialization attacks are possible through libraries such as XStream and XmlDecoder.\n\nAlternatively, a tightly controlled whitelist can limit the vulnerability of code, but be aware of the existence of so-called Bypass Gadgets, which can circumvent such protection measures.\n\nRecommendations specific to particular frameworks supported by this query:\n\n**FastJson** - `com.alibaba:fastjson`\n\n* **Secure by Default**: Partially\n* **Recommendation**: Call `com.alibaba.fastjson.parser.ParserConfig#setSafeMode` with the argument `true` before deserializing untrusted data.\n\n\n**FasterXML** - `com.fasterxml.jackson.core:jackson-databind`\n\n* **Secure by Default**: Yes\n* **Recommendation**: Don't call `com.fasterxml.jackson.databind.ObjectMapper#enableDefaultTyping` and don't annotate any object fields with `com.fasterxml.jackson.annotation.JsonTypeInfo` passing either the `CLASS` or `MINIMAL_CLASS` values to the annotation. Read [this guide](https://cowtowncoder.medium.com/jackson-2-10-safe-default-typing-2d018f0ce2ba).\n\n\n**Kryo** - `com.esotericsoftware:kryo` and `com.esotericsoftware:kryo5`\n\n* **Secure by Default**: Yes for `com.esotericsoftware:kryo5` and for `com.esotericsoftware:kryo` >= v5.0.0\n* **Recommendation**: Don't call `com.esotericsoftware.kryo(5).Kryo#setRegistrationRequired` with the argument `false` on any `Kryo` instance that may deserialize untrusted data.\n\n\n**ObjectInputStream** - `Java Standard Library`\n\n* **Secure by Default**: No\n* **Recommendation**: Use a validating input stream, such as `org.apache.commons.io.serialization.ValidatingObjectInputStream`.\n\n\n**SnakeYAML** - `org.yaml:snakeyaml`\n\n* **Secure by Default**: No\n* **Recommendation**: Pass an instance of `org.yaml.snakeyaml.constructor.SafeConstructor` to `org.yaml.snakeyaml.Yaml`'s constructor before using it to deserialize untrusted data.\n\n\n**XML Decoder** - `Standard Java Library`\n\n* **Secure by Default**: No\n* **Recommendation**: Do not use with untrusted user input.\n\n\n**ObjectMesssage** - `Java EE/Jakarta EE`\n\n* **Secure by Default**: Depends on the JMS implementation.\n* **Recommendation**: Do not use with untrusted user input.\n\n\n\n## Example\nThe following example calls `readObject` directly on an `ObjectInputStream` that is constructed from untrusted data, and is therefore inherently unsafe.\n\n\n```java\npublic MyObject {\n  public int field;\n  MyObject(int field) {\n    this.field = field;\n  }\n}\n\npublic MyObject deserialize(Socket sock) {\n  try(ObjectInputStream in = new ObjectInputStream(sock.getInputStream())) {\n    return (MyObject)in.readObject(); // unsafe\n  }\n}\n\n```\nRewriting the communication protocol to only rely on reading primitive types from the input stream removes the vulnerability.\n\n\n```java\npublic MyObject deserialize(Socket sock) {\n  try(DataInputStream in = new DataInputStream(sock.getInputStream())) {\n    return new MyObject(in.readInt());\n  }\n}\n\n```\n\n## References\n* OWASP vulnerability description: [Deserialization of untrusted data](https://www.owasp.org/index.php/Deserialization_of_untrusted_data).\n* OWASP guidance on deserializing objects: [Deserialization Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html).\n* Talks by Chris Frohoff & Gabriel Lawrence: [ AppSecCali 2015: Marshalling Pickles - how deserializing objects will ruin your day](http://frohoff.github.io/appseccali-marshalling-pickles/), [OWASP SD: Deserialize My Shorts: Or How I Learned to Start Worrying and Hate Java Object Deserialization](http://frohoff.github.io/owaspsd-deserialize-my-shorts/).\n* Alvaro Muñoz & Christian Schneider, RSAConference 2016: [Serial Killer: Silently Pwning Your Java Endpoints](https://speakerdeck.com/pwntester/serial-killer-silently-pwning-your-java-endpoints).\n* SnakeYaml documentation on deserialization: [SnakeYaml deserialization](https://bitbucket.org/snakeyaml/snakeyaml/wiki/Documentation#markdown-header-loading-yaml).\n* Hessian deserialization and related gadget chains: [Hessian deserialization](https://paper.seebug.org/1137/).\n* Castor and Hessian java deserialization vulnerabilities: [Castor and Hessian deserialization](https://securitylab.github.com/research/hessian-java-deserialization-castor-vulnerabilities/).\n* Remote code execution in JYaml library: [JYaml deserialization](https://www.cybersecurity-help.cz/vdb/SB2020022512).\n* JsonIO deserialization vulnerabilities: [JsonIO deserialization](https://klezvirus.github.io/Advanced-Web-Hacking/Serialisation/).\n* Research by Moritz Bechler: [Java Unmarshaller Security - Turning your data into code execution](https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true)\n* Blog posts by the developer of Jackson libraries: [On Jackson CVEs: Don’t Panic — Here is what you need to know](https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062) [Jackson 2.10: Safe Default Typing](https://cowtowncoder.medium.com/jackson-2-10-safe-default-typing-2d018f0ce2ba)\n* Jabsorb documentation on deserialization: [Jabsorb JSON Serializer](https://github.com/Servoy/jabsorb/blob/master/src/org/jabsorb/).\n* Jodd JSON documentation on deserialization: [JoddJson Parser](https://json.jodd.org/parser).\n* RCE in Flexjson: [Flexjson deserialization](https://codewhitesec.blogspot.com/2020/03/liferay-portal-json-vulns.html).\n* Android Intent deserialization vulnerabilities with GSON parser: [Insecure use of JSON parsers](https://blog.oversecured.com/Exploiting-memory-corruption-vulnerabilities-on-Android/#insecure-use-of-json-parsers).\n* Research by Matthias Kaiser: [Pwning Your Java Messaging With Deserialization Vulnerabilities](https://www.blackhat.com/docs/us-16/materials/us-16-Kaiser-Pwning-Your-Java-Messaging-With-Deserialization-Vulnerabilities.pdf).\n* Common Weakness Enumeration: [CWE-502](https://cwe.mitre.org/data/definitions/502.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-502",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.ql",
+                  "precision": "high",
+                  "security-severity": "9.8"
+                }
+              },
+              {
+                "id": "java/unsafe-hostname-verification",
+                "name": "java/unsafe-hostname-verification",
+                "shortDescription": {
+                  "text": "Unsafe hostname verification"
+                },
+                "fullDescription": {
+                  "text": "Marking a certificate as valid for a host without checking the certificate hostname allows an attacker to perform a machine-in-the-middle attack."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Unsafe hostname verification\nIf a `HostnameVerifier` always returns `true` it will not verify the hostname at all. This stops Transport Layer Security (TLS) providing any security and allows an attacker to perform a man-in-the-middle attack against the application.\n\nAn attack might look like this:\n\n1. The program connects to `https://example.com`.\n1. The attacker intercepts this connection and presents an apparently-valid certificate of their choosing.\n1. The `TrustManager` of the program verifies that the certificate has been issued by a trusted certificate authority.\n1. The Java HTTPS library checks whether the certificate has been issued for the host `example.com`. This check fails because the certificate has been issued for a domain controlled by the attacker, for example: `malicious.domain`.\n1. The HTTPS library wants to reject the certificate because the hostname does not match. Before doing this it checks whether a `HostnameVerifier` exists.\n1. Your `HostnameVerifier` is called which returns `true` for any certificate so also for this one.\n1. The program proceeds with the connection since your `HostnameVerifier` accepted it.\n1. The attacker can now read the data your program sends to `https://example.com` and/or alter its replies while the program thinks the connection is secure.\n\n## Recommendation\nDo not use an open `HostnameVerifier`. If you have a configuration problem with TLS/HTTPS, you should always solve the configuration problem instead of using an open verifier.\n\n\n## Example\nIn the first (bad) example, the `HostnameVerifier` always returns `true`. This allows an attacker to perform a man-in-the-middle attack, because any certificate is accepted despite an incorrect hostname. In the second (good) example, the `HostnameVerifier` only returns `true` when the certificate has been correctly checked.\n\n\n```java\npublic static void main(String[] args) {\n\n\t{\n\t\tHostnameVerifier verifier = new HostnameVerifier() {\n\t\t\t@Override\n\t\t\tpublic boolean verify(String hostname, SSLSession session) {\n\t\t\t\treturn true; // BAD: accept even if the hostname doesn't match\n\t\t\t}\n\t\t};\n\t\tHttpsURLConnection.setDefaultHostnameVerifier(verifier);\n\t}\n\n\t{\n\t\tHostnameVerifier verifier = new HostnameVerifier() {\n\t\t\t@Override\n\t\t\tpublic boolean verify(String hostname, SSLSession session) {\n\t\t\t\ttry { // GOOD: verify the certificate\n\t\t\t\t\tCertificate[] certs = session.getPeerCertificates();\n\t\t\t\t\tX509Certificate x509 = (X509Certificate) certs[0];\n\t\t\t\t\tcheck(new String[]{host}, x509);\n\t\t\t\t\treturn true;\n\t\t\t\t} catch (SSLException e) {\n\t\t\t\t\treturn false;\n\t\t\t\t}\n\t\t\t}\n\t\t};\n\t\tHttpsURLConnection.setDefaultHostnameVerifier(verifier);\n\t}\n\n}\n```\n\n## References\n* Android developers: [Security with HTTPS and SSL](https://developer.android.com/training/articles/security-ssl).\n* Terse systems blog: [Fixing Hostname Verification](https://tersesystems.com/blog/2014/03/23/fixing-hostname-verification/).\n* Common Weakness Enumeration: [CWE-297](https://cwe.mitre.org/data/definitions/297.html).\n",
+                  "markdown": "# Unsafe hostname verification\nIf a `HostnameVerifier` always returns `true` it will not verify the hostname at all. This stops Transport Layer Security (TLS) providing any security and allows an attacker to perform a man-in-the-middle attack against the application.\n\nAn attack might look like this:\n\n1. The program connects to `https://example.com`.\n1. The attacker intercepts this connection and presents an apparently-valid certificate of their choosing.\n1. The `TrustManager` of the program verifies that the certificate has been issued by a trusted certificate authority.\n1. The Java HTTPS library checks whether the certificate has been issued for the host `example.com`. This check fails because the certificate has been issued for a domain controlled by the attacker, for example: `malicious.domain`.\n1. The HTTPS library wants to reject the certificate because the hostname does not match. Before doing this it checks whether a `HostnameVerifier` exists.\n1. Your `HostnameVerifier` is called which returns `true` for any certificate so also for this one.\n1. The program proceeds with the connection since your `HostnameVerifier` accepted it.\n1. The attacker can now read the data your program sends to `https://example.com` and/or alter its replies while the program thinks the connection is secure.\n\n## Recommendation\nDo not use an open `HostnameVerifier`. If you have a configuration problem with TLS/HTTPS, you should always solve the configuration problem instead of using an open verifier.\n\n\n## Example\nIn the first (bad) example, the `HostnameVerifier` always returns `true`. This allows an attacker to perform a man-in-the-middle attack, because any certificate is accepted despite an incorrect hostname. In the second (good) example, the `HostnameVerifier` only returns `true` when the certificate has been correctly checked.\n\n\n```java\npublic static void main(String[] args) {\n\n\t{\n\t\tHostnameVerifier verifier = new HostnameVerifier() {\n\t\t\t@Override\n\t\t\tpublic boolean verify(String hostname, SSLSession session) {\n\t\t\t\treturn true; // BAD: accept even if the hostname doesn't match\n\t\t\t}\n\t\t};\n\t\tHttpsURLConnection.setDefaultHostnameVerifier(verifier);\n\t}\n\n\t{\n\t\tHostnameVerifier verifier = new HostnameVerifier() {\n\t\t\t@Override\n\t\t\tpublic boolean verify(String hostname, SSLSession session) {\n\t\t\t\ttry { // GOOD: verify the certificate\n\t\t\t\t\tCertificate[] certs = session.getPeerCertificates();\n\t\t\t\t\tX509Certificate x509 = (X509Certificate) certs[0];\n\t\t\t\t\tcheck(new String[]{host}, x509);\n\t\t\t\t\treturn true;\n\t\t\t\t} catch (SSLException e) {\n\t\t\t\t\treturn false;\n\t\t\t\t}\n\t\t\t}\n\t\t};\n\t\tHttpsURLConnection.setDefaultHostnameVerifier(verifier);\n\t}\n\n}\n```\n\n## References\n* Android developers: [Security with HTTPS and SSL](https://developer.android.com/training/articles/security-ssl).\n* Terse systems blog: [Fixing Hostname Verification](https://tersesystems.com/blog/2014/03/23/fixing-hostname-verification/).\n* Common Weakness Enumeration: [CWE-297](https://cwe.mitre.org/data/definitions/297.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-297",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-297/UnsafeHostnameVerification.ql",
+                  "precision": "high",
+                  "security-severity": "5.9"
+                }
+              },
+              {
+                "id": "java/unvalidated-url-forward",
+                "name": "java/unvalidated-url-forward",
+                "shortDescription": {
+                  "text": "URL forward from a remote source"
+                },
+                "fullDescription": {
+                  "text": "URL forward based on unvalidated user input may cause file information disclosure."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# URL forward from a remote source\nDirectly incorporating user input into a URL forward request without validating the input can cause file information disclosure by allowing an attacker to access unauthorized URLs.\n\n\n## Recommendation\nTo guard against untrusted URL forwarding, you should avoid putting user input directly into a forwarded URL. Instead, you should maintain a list of authorized URLs on the server, then choose from that list based on the user input provided.\n\n\n## Example\nThe following example shows an HTTP request parameter being used directly in a URL forward without validating the input, which may cause file information disclosure. It also shows how to remedy the problem by validating the user input against a known fixed string.\n\n\n```java\npublic class UrlForward extends HttpServlet {\n\tprivate static final String VALID_FORWARD = \"https://cwe.mitre.org/data/definitions/552.html\";\n\n\tprotected void doGet(HttpServletRequest request, HttpServletResponse response)\n\t\t\tthrows ServletException, IOException {\n\t\tServletConfig cfg = getServletConfig();\n\t\tServletContext sc = cfg.getServletContext();\n\n\t\t// BAD: a request parameter is incorporated without validation into a URL forward\n\t\tsc.getRequestDispatcher(request.getParameter(\"target\")).forward(request, response);\n\n\t\t// GOOD: the request parameter is validated against a known fixed string\n\t\tif (VALID_FORWARD.equals(request.getParameter(\"target\"))) {\n\t\t\tsc.getRequestDispatcher(VALID_FORWARD).forward(request, response);\n\t\t}\n\t}\n}\n\n```\n\n## References\n* OWASP: [Unvalidated Redirects and Forwards Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html).\n* Common Weakness Enumeration: [CWE-552](https://cwe.mitre.org/data/definitions/552.html).\n",
+                  "markdown": "# URL forward from a remote source\nDirectly incorporating user input into a URL forward request without validating the input can cause file information disclosure by allowing an attacker to access unauthorized URLs.\n\n\n## Recommendation\nTo guard against untrusted URL forwarding, you should avoid putting user input directly into a forwarded URL. Instead, you should maintain a list of authorized URLs on the server, then choose from that list based on the user input provided.\n\n\n## Example\nThe following example shows an HTTP request parameter being used directly in a URL forward without validating the input, which may cause file information disclosure. It also shows how to remedy the problem by validating the user input against a known fixed string.\n\n\n```java\npublic class UrlForward extends HttpServlet {\n\tprivate static final String VALID_FORWARD = \"https://cwe.mitre.org/data/definitions/552.html\";\n\n\tprotected void doGet(HttpServletRequest request, HttpServletResponse response)\n\t\t\tthrows ServletException, IOException {\n\t\tServletConfig cfg = getServletConfig();\n\t\tServletContext sc = cfg.getServletContext();\n\n\t\t// BAD: a request parameter is incorporated without validation into a URL forward\n\t\tsc.getRequestDispatcher(request.getParameter(\"target\")).forward(request, response);\n\n\t\t// GOOD: the request parameter is validated against a known fixed string\n\t\tif (VALID_FORWARD.equals(request.getParameter(\"target\"))) {\n\t\t\tsc.getRequestDispatcher(VALID_FORWARD).forward(request, response);\n\t\t}\n\t}\n}\n\n```\n\n## References\n* OWASP: [Unvalidated Redirects and Forwards Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html).\n* Common Weakness Enumeration: [CWE-552](https://cwe.mitre.org/data/definitions/552.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-552",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-552/UrlForward.ql",
+                  "precision": "high",
+                  "security-severity": "7.5"
+                }
+              },
+              {
+                "id": "java/unvalidated-url-redirection",
+                "name": "java/unvalidated-url-redirection",
+                "shortDescription": {
+                  "text": "URL redirection from remote source"
+                },
+                "fullDescription": {
+                  "text": "URL redirection based on unvalidated user-input may cause redirection to malicious web sites."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# URL redirection from remote source\nDirectly incorporating user input into a URL redirect request without validating the input can facilitate phishing attacks. In these attacks, unsuspecting users can be redirected to a malicious site that looks very similar to the real site they intend to visit, but which is controlled by the attacker.\n\n\n## Recommendation\nTo guard against untrusted URL redirection, it is advisable to avoid putting user input directly into a redirect URL. Instead, maintain a list of authorized redirects on the server; then choose from that list based on the user input provided.\n\nIf this is not possible, then the user input should be validated in some other way, for example, by verifying that the target URL is on the same host as the current page.\n\n\n## Example\nThe following example shows an HTTP request parameter being used directly in a URL redirect without validating the input, which facilitates phishing attacks:\n\n\n```java\npublic class UrlRedirect extends HttpServlet {\n  protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {\n    // BAD: a request parameter is incorporated without validation into a URL redirect\n    response.sendRedirect(request.getParameter(\"target\"));\n  }\n}\n```\nOne way to remedy the problem is to validate the user input against a known fixed string before doing the redirection:\n\n\n```java\npublic class UrlRedirect extends HttpServlet {\n  private static final List VALID_REDIRECTS = Arrays.asList(\n    \"http://cwe.mitre.org/data/definitions/601.html\",\n    \"http://cwe.mitre.org/data/definitions/79.html\"\n  );\n\n  protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {\n    // GOOD: the request parameter is validated against a known list of strings\n    String target = request.getParameter(\"target\");\n    if (VALID_REDIRECTS.contains(target)) {\n        response.sendRedirect(target);\n    } else {\n        response.sendRedirect(\"/error.html\");\n    }\n  }\n}\n```\nAlternatively, we can check that the target URL does not redirect to a different host by checking that the URL is either relative or on a known good host:\n\n\n```java\npublic class UrlRedirect extends HttpServlet {\n  protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {\n    try {\n      String urlString = request.getParameter(\"page\");\n      URI url = new URI(urlString);\n\n      if (!url.isAbsolute()) {\n        response.sendRedirect(url.toString()); // GOOD: The redirect is to a relative URL\n      }\n\n      if (\"example.org\".equals(url.getHost())) {\n        response.sendRedirect(url.toString()); // GOOD: The redirect is to a known host\n      }\n    } catch (URISyntaxException e) {\n        // handle exception\n    }\n  }\n}\n```\nNote that as written, the above code will allow redirects to URLs on `example.com`, which is harmless but perhaps not intended. You can substitute your own domain (if known) for `example.com` to prevent this.\n\n\n## References\n* OWASP: [ Unvalidated Redirects and Forwards Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html).\n* Microsoft Docs: [Preventing Open Redirection Attacks (C\\#)](https://docs.microsoft.com/en-us/aspnet/mvc/overview/security/preventing-open-redirection-attacks).\n* Common Weakness Enumeration: [CWE-601](https://cwe.mitre.org/data/definitions/601.html).\n",
+                  "markdown": "# URL redirection from remote source\nDirectly incorporating user input into a URL redirect request without validating the input can facilitate phishing attacks. In these attacks, unsuspecting users can be redirected to a malicious site that looks very similar to the real site they intend to visit, but which is controlled by the attacker.\n\n\n## Recommendation\nTo guard against untrusted URL redirection, it is advisable to avoid putting user input directly into a redirect URL. Instead, maintain a list of authorized redirects on the server; then choose from that list based on the user input provided.\n\nIf this is not possible, then the user input should be validated in some other way, for example, by verifying that the target URL is on the same host as the current page.\n\n\n## Example\nThe following example shows an HTTP request parameter being used directly in a URL redirect without validating the input, which facilitates phishing attacks:\n\n\n```java\npublic class UrlRedirect extends HttpServlet {\n  protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {\n    // BAD: a request parameter is incorporated without validation into a URL redirect\n    response.sendRedirect(request.getParameter(\"target\"));\n  }\n}\n```\nOne way to remedy the problem is to validate the user input against a known fixed string before doing the redirection:\n\n\n```java\npublic class UrlRedirect extends HttpServlet {\n  private static final List VALID_REDIRECTS = Arrays.asList(\n    \"http://cwe.mitre.org/data/definitions/601.html\",\n    \"http://cwe.mitre.org/data/definitions/79.html\"\n  );\n\n  protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {\n    // GOOD: the request parameter is validated against a known list of strings\n    String target = request.getParameter(\"target\");\n    if (VALID_REDIRECTS.contains(target)) {\n        response.sendRedirect(target);\n    } else {\n        response.sendRedirect(\"/error.html\");\n    }\n  }\n}\n```\nAlternatively, we can check that the target URL does not redirect to a different host by checking that the URL is either relative or on a known good host:\n\n\n```java\npublic class UrlRedirect extends HttpServlet {\n  protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {\n    try {\n      String urlString = request.getParameter(\"page\");\n      URI url = new URI(urlString);\n\n      if (!url.isAbsolute()) {\n        response.sendRedirect(url.toString()); // GOOD: The redirect is to a relative URL\n      }\n\n      if (\"example.org\".equals(url.getHost())) {\n        response.sendRedirect(url.toString()); // GOOD: The redirect is to a known host\n      }\n    } catch (URISyntaxException e) {\n        // handle exception\n    }\n  }\n}\n```\nNote that as written, the above code will allow redirects to URLs on `example.com`, which is harmless but perhaps not intended. You can substitute your own domain (if known) for `example.com` to prevent this.\n\n\n## References\n* OWASP: [ Unvalidated Redirects and Forwards Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html).\n* Microsoft Docs: [Preventing Open Redirection Attacks (C\\#)](https://docs.microsoft.com/en-us/aspnet/mvc/overview/security/preventing-open-redirection-attacks).\n* Common Weakness Enumeration: [CWE-601](https://cwe.mitre.org/data/definitions/601.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-601",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-601/UrlRedirect.ql",
+                  "precision": "high",
+                  "security-severity": "6.1"
+                }
+              },
+              {
+                "id": "java/weak-cryptographic-algorithm",
+                "name": "java/weak-cryptographic-algorithm",
+                "shortDescription": {
+                  "text": "Use of a broken or risky cryptographic algorithm"
+                },
+                "fullDescription": {
+                  "text": "Using broken or weak cryptographic algorithms can allow an attacker to compromise security."
+                },
+                "defaultConfiguration": {},
+                "help": {
+                  "text": "# Use of a broken or risky cryptographic algorithm\nUsing broken or weak cryptographic algorithms can leave data vulnerable to being decrypted.\n\nMany cryptographic algorithms provided by cryptography libraries are known to be weak, or flawed. Using such an algorithm means that an attacker may be able to easily decrypt the encrypted data.\n\n\n## Recommendation\nEnsure that you use a strong, modern cryptographic algorithm. Use at least AES-128 or RSA-2048. Do not use the ECB encryption mode since it is vulnerable to replay and other attacks.\n\n\n## Example\nThe following code shows an example of using a java `Cipher` to encrypt some data. When creating a `Cipher` instance, you must specify the encryption algorithm to use. The first example uses DES, which is an older algorithm that is now considered weak. The second example uses AES, which is a strong modern algorithm.\n\n\n```java\n// BAD: DES is a weak algorithm \nCipher des = Cipher.getInstance(\"DES\");\ncipher.init(Cipher.ENCRYPT_MODE, secretKeySpec);\n\nbyte[] encrypted = cipher.doFinal(input.getBytes(\"UTF-8\"));\n\n// ...\n\n// GOOD: AES is a strong algorithm\nCipher aes = Cipher.getInstance(\"AES\");\n\n// ...\n\n```\n\n## References\n* NIST, FIPS 140 Annex a: [ Approved Security Functions](http://csrc.nist.gov/publications/fips/fips140-2/fips1402annexa.pdf).\n* NIST, SP 800-131A: [ Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths](http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar1.pdf).\n* Common Weakness Enumeration: [CWE-327](https://cwe.mitre.org/data/definitions/327.html).\n* Common Weakness Enumeration: [CWE-328](https://cwe.mitre.org/data/definitions/328.html).\n",
+                  "markdown": "# Use of a broken or risky cryptographic algorithm\nUsing broken or weak cryptographic algorithms can leave data vulnerable to being decrypted.\n\nMany cryptographic algorithms provided by cryptography libraries are known to be weak, or flawed. Using such an algorithm means that an attacker may be able to easily decrypt the encrypted data.\n\n\n## Recommendation\nEnsure that you use a strong, modern cryptographic algorithm. Use at least AES-128 or RSA-2048. Do not use the ECB encryption mode since it is vulnerable to replay and other attacks.\n\n\n## Example\nThe following code shows an example of using a java `Cipher` to encrypt some data. When creating a `Cipher` instance, you must specify the encryption algorithm to use. The first example uses DES, which is an older algorithm that is now considered weak. The second example uses AES, which is a strong modern algorithm.\n\n\n```java\n// BAD: DES is a weak algorithm \nCipher des = Cipher.getInstance(\"DES\");\ncipher.init(Cipher.ENCRYPT_MODE, secretKeySpec);\n\nbyte[] encrypted = cipher.doFinal(input.getBytes(\"UTF-8\"));\n\n// ...\n\n// GOOD: AES is a strong algorithm\nCipher aes = Cipher.getInstance(\"AES\");\n\n// ...\n\n```\n\n## References\n* NIST, FIPS 140 Annex a: [ Approved Security Functions](http://csrc.nist.gov/publications/fips/fips140-2/fips1402annexa.pdf).\n* NIST, SP 800-131A: [ Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths](http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar1.pdf).\n* Common Weakness Enumeration: [CWE-327](https://cwe.mitre.org/data/definitions/327.html).\n* Common Weakness Enumeration: [CWE-328](https://cwe.mitre.org/data/definitions/328.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-327",
+                    "external/cwe/cwe-328",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql",
+                  "precision": "high",
+                  "security-severity": "7.5"
+                }
+              },
+              {
+                "id": "java/world-writable-file-read",
+                "name": "java/world-writable-file-read",
+                "shortDescription": {
+                  "text": "Reading from a world writable file"
+                },
+                "fullDescription": {
+                  "text": "Reading from a file which is set as world writable is dangerous because the file may be modified or removed by external actors."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Reading from a world writable file\nReading from a world-writable file is dangerous on a multi-user system because other users may be able to affect program execution by modifying or deleting the file.\n\n\n## Recommendation\nDo not make files explicitly world writable unless the file is intended to be written by multiple users on a multi-user system. In many cases, the file may only need to be writable for the current user.\n\nFor some file systems, there may be alternatives to setting the file to be world writable. For example, POSIX file systems support \"groups\" which may be used to ensure that only subset of all the users can write to the file. Access Control Lists (ACLs) are available for many operating system and file system combinations, and can provide fine-grained read and write support without resorting to world writable permissions.\n\n\n## Example\nIn the following example, we are loading some configuration parameters from a file:\n\n```java\n\nprivate void readConfig(File configFile) {\n  if (!configFile.exists()) {\n    // Create an empty config file\n    configFile.createNewFile();\n    // Make the file writable for all\n    configFile.setWritable(true, false);\n  }\n  // Now read the config\n  loadConfig(configFile);\n}\n\n```\nIf the configuration file does not yet exist, an empty file is created. Creating an empty file can simplify the later code and is a convenience for the user. However, by setting the file to be world writable, we allow any user on the system to modify the configuration, not just the current user. If there may be untrusted users on the system, this is potentially dangerous.\n\n\n## References\n* SEI CERT Oracle Coding Standard for Java: [FIO01-J. Create files with appropriate access permissions](https://wiki.sei.cmu.edu/confluence/display/java/FIO01-J.+Create+files+with+appropriate+access+permissions).\n* Common Weakness Enumeration: [CWE-732](https://cwe.mitre.org/data/definitions/732.html).\n",
+                  "markdown": "# Reading from a world writable file\nReading from a world-writable file is dangerous on a multi-user system because other users may be able to affect program execution by modifying or deleting the file.\n\n\n## Recommendation\nDo not make files explicitly world writable unless the file is intended to be written by multiple users on a multi-user system. In many cases, the file may only need to be writable for the current user.\n\nFor some file systems, there may be alternatives to setting the file to be world writable. For example, POSIX file systems support \"groups\" which may be used to ensure that only subset of all the users can write to the file. Access Control Lists (ACLs) are available for many operating system and file system combinations, and can provide fine-grained read and write support without resorting to world writable permissions.\n\n\n## Example\nIn the following example, we are loading some configuration parameters from a file:\n\n```java\n\nprivate void readConfig(File configFile) {\n  if (!configFile.exists()) {\n    // Create an empty config file\n    configFile.createNewFile();\n    // Make the file writable for all\n    configFile.setWritable(true, false);\n  }\n  // Now read the config\n  loadConfig(configFile);\n}\n\n```\nIf the configuration file does not yet exist, an empty file is created. Creating an empty file can simplify the later code and is a convenience for the user. However, by setting the file to be world writable, we allow any user on the system to modify the configuration, not just the current user. If there may be untrusted users on the system, this is potentially dangerous.\n\n\n## References\n* SEI CERT Oracle Coding Standard for Java: [FIO01-J. Create files with appropriate access permissions](https://wiki.sei.cmu.edu/confluence/display/java/FIO01-J.+Create+files+with+appropriate+access+permissions).\n* Common Weakness Enumeration: [CWE-732](https://cwe.mitre.org/data/definitions/732.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-732",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-732/ReadingFromWorldWritableFile.ql",
+                  "precision": "high",
+                  "security-severity": "7.8"
+                }
+              },
+              {
+                "id": "java/xml/xpath-injection",
+                "name": "java/xml/xpath-injection",
+                "shortDescription": {
+                  "text": "XPath injection"
+                },
+                "fullDescription": {
+                  "text": "Building an XPath expression from user-controlled sources is vulnerable to insertion of malicious code by the user."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# XPath injection\nIf an XPath expression is built using string concatenation, and the components of the concatenation include user input, it makes it very easy for a user to create a malicious XPath expression.\n\n\n## Recommendation\nIf user input must be included in an XPath expression, either sanitize the data or pre-compile the query and use variable references to include the user input.\n\nXPath injection can also be prevented by using XQuery.\n\n\n## Example\nIn the first three examples, the code accepts a name and password specified by the user, and uses this unvalidated and unsanitized value in an XPath expression. This is vulnerable to the user providing special characters or string sequences that change the meaning of the XPath expression to search for different values.\n\nIn the fourth example, the code uses `setXPathVariableResolver` which prevents XPath injection.\n\nThe final two examples are for dom4j. They show an example of XPath injection and one method of preventing it.\n\n\n```java\nfinal String xmlStr = \"\" + \n                        \"   \" + \n                        \"   \" + \n                        \"\";\ntry {\n    DocumentBuilderFactory domFactory = DocumentBuilderFactory.newInstance();\n    domFactory.setNamespaceAware(true);\n    DocumentBuilder builder = domFactory.newDocumentBuilder();\n    //Document doc = builder.parse(\"user.xml\");\n    Document doc = builder.parse(new InputSource(new StringReader(xmlStr)));\n\n    XPathFactory factory = XPathFactory.newInstance();\n    XPath xpath = factory.newXPath();\n\n    // Injectable data\n    String user = request.getParameter(\"user\");\n    String pass = request.getParameter(\"pass\");\n    if (user != null && pass != null) {\n        boolean isExist = false;\n\n        // Bad expression\n        String expression1 = \"/users/user[@name='\" + user + \"' and @pass='\" + pass + \"']\";\n        isExist = (boolean)xpath.evaluate(expression1, doc, XPathConstants.BOOLEAN);\n        System.out.println(isExist);\n\n        // Bad expression\n        XPathExpression expression2 = xpath.compile(\"/users/user[@name='\" + user + \"' and @pass='\" + pass + \"']\");\n        isExist = (boolean)expression2.evaluate(doc, XPathConstants.BOOLEAN);\n        System.out.println(isExist);\n\n        // Bad expression\n        StringBuffer sb = new StringBuffer(\"/users/user[@name=\");\n        sb.append(user);\n        sb.append(\"' and @pass='\");\n        sb.append(pass);\n        sb.append(\"']\");\n        String query = sb.toString();\n        XPathExpression expression3 = xpath.compile(query);\n        isExist = (boolean)expression3.evaluate(doc, XPathConstants.BOOLEAN);\n        System.out.println(isExist);\n\n        // Good expression\n        String expression4 = \"/users/user[@name=$user and @pass=$pass]\";\n        xpath.setXPathVariableResolver(v -> {\n        switch (v.getLocalPart()) {\n            case \"user\":\n                return user;\n            case \"pass\":\n                return pass;\n            default:\n                throw new IllegalArgumentException();\n            }\n        });\n        isExist = (boolean)xpath.evaluate(expression4, doc, XPathConstants.BOOLEAN);\n        System.out.println(isExist);\n\n\n        // Bad Dom4j \n        org.dom4j.io.SAXReader reader = new org.dom4j.io.SAXReader();\n        org.dom4j.Document document = reader.read(new InputSource(new StringReader(xmlStr)));\n        isExist = document.selectSingleNode(\"/users/user[@name='\" + user + \"' and @pass='\" + pass + \"']\") != null;\n        // or document.selectNodes\n        System.out.println(isExist);\n\n        // Good Dom4j\n        org.jaxen.SimpleVariableContext svc = new org.jaxen.SimpleVariableContext();\n        svc.setVariableValue(\"user\", user);\n        svc.setVariableValue(\"pass\", pass);\n        String xpathString = \"/users/user[@name=$user and @pass=$pass]\";\n        org.dom4j.XPath safeXPath = document.createXPath(xpathString);\n        safeXPath.setVariableContext(svc);\n        isExist = safeXPath.selectSingleNode(document) != null;\n        System.out.println(isExist);\n    }\n} catch (ParserConfigurationException e) {\n\n} catch (SAXException e) {\n\n} catch (XPathExpressionException e) {\n\n} catch (org.dom4j.DocumentException e) {\n\n}\n```\n\n## References\n* OWASP: [Testing for XPath Injection](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/09-Testing_for_XPath_Injection).\n* OWASP: [XPath Injection](https://owasp.org/www-community/attacks/XPATH_Injection).\n* Common Weakness Enumeration: [CWE-643](https://cwe.mitre.org/data/definitions/643.html).\n",
+                  "markdown": "# XPath injection\nIf an XPath expression is built using string concatenation, and the components of the concatenation include user input, it makes it very easy for a user to create a malicious XPath expression.\n\n\n## Recommendation\nIf user input must be included in an XPath expression, either sanitize the data or pre-compile the query and use variable references to include the user input.\n\nXPath injection can also be prevented by using XQuery.\n\n\n## Example\nIn the first three examples, the code accepts a name and password specified by the user, and uses this unvalidated and unsanitized value in an XPath expression. This is vulnerable to the user providing special characters or string sequences that change the meaning of the XPath expression to search for different values.\n\nIn the fourth example, the code uses `setXPathVariableResolver` which prevents XPath injection.\n\nThe final two examples are for dom4j. They show an example of XPath injection and one method of preventing it.\n\n\n```java\nfinal String xmlStr = \"\" + \n                        \"   \" + \n                        \"   \" + \n                        \"\";\ntry {\n    DocumentBuilderFactory domFactory = DocumentBuilderFactory.newInstance();\n    domFactory.setNamespaceAware(true);\n    DocumentBuilder builder = domFactory.newDocumentBuilder();\n    //Document doc = builder.parse(\"user.xml\");\n    Document doc = builder.parse(new InputSource(new StringReader(xmlStr)));\n\n    XPathFactory factory = XPathFactory.newInstance();\n    XPath xpath = factory.newXPath();\n\n    // Injectable data\n    String user = request.getParameter(\"user\");\n    String pass = request.getParameter(\"pass\");\n    if (user != null && pass != null) {\n        boolean isExist = false;\n\n        // Bad expression\n        String expression1 = \"/users/user[@name='\" + user + \"' and @pass='\" + pass + \"']\";\n        isExist = (boolean)xpath.evaluate(expression1, doc, XPathConstants.BOOLEAN);\n        System.out.println(isExist);\n\n        // Bad expression\n        XPathExpression expression2 = xpath.compile(\"/users/user[@name='\" + user + \"' and @pass='\" + pass + \"']\");\n        isExist = (boolean)expression2.evaluate(doc, XPathConstants.BOOLEAN);\n        System.out.println(isExist);\n\n        // Bad expression\n        StringBuffer sb = new StringBuffer(\"/users/user[@name=\");\n        sb.append(user);\n        sb.append(\"' and @pass='\");\n        sb.append(pass);\n        sb.append(\"']\");\n        String query = sb.toString();\n        XPathExpression expression3 = xpath.compile(query);\n        isExist = (boolean)expression3.evaluate(doc, XPathConstants.BOOLEAN);\n        System.out.println(isExist);\n\n        // Good expression\n        String expression4 = \"/users/user[@name=$user and @pass=$pass]\";\n        xpath.setXPathVariableResolver(v -> {\n        switch (v.getLocalPart()) {\n            case \"user\":\n                return user;\n            case \"pass\":\n                return pass;\n            default:\n                throw new IllegalArgumentException();\n            }\n        });\n        isExist = (boolean)xpath.evaluate(expression4, doc, XPathConstants.BOOLEAN);\n        System.out.println(isExist);\n\n\n        // Bad Dom4j \n        org.dom4j.io.SAXReader reader = new org.dom4j.io.SAXReader();\n        org.dom4j.Document document = reader.read(new InputSource(new StringReader(xmlStr)));\n        isExist = document.selectSingleNode(\"/users/user[@name='\" + user + \"' and @pass='\" + pass + \"']\") != null;\n        // or document.selectNodes\n        System.out.println(isExist);\n\n        // Good Dom4j\n        org.jaxen.SimpleVariableContext svc = new org.jaxen.SimpleVariableContext();\n        svc.setVariableValue(\"user\", user);\n        svc.setVariableValue(\"pass\", pass);\n        String xpathString = \"/users/user[@name=$user and @pass=$pass]\";\n        org.dom4j.XPath safeXPath = document.createXPath(xpathString);\n        safeXPath.setVariableContext(svc);\n        isExist = safeXPath.selectSingleNode(document) != null;\n        System.out.println(isExist);\n    }\n} catch (ParserConfigurationException e) {\n\n} catch (SAXException e) {\n\n} catch (XPathExpressionException e) {\n\n} catch (org.dom4j.DocumentException e) {\n\n}\n```\n\n## References\n* OWASP: [Testing for XPath Injection](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/09-Testing_for_XPath_Injection).\n* OWASP: [XPath Injection](https://owasp.org/www-community/attacks/XPATH_Injection).\n* Common Weakness Enumeration: [CWE-643](https://cwe.mitre.org/data/definitions/643.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-643",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-643/XPathInjection.ql",
+                  "precision": "high",
+                  "security-severity": "9.8"
+                }
+              },
+              {
+                "id": "java/xslt-injection",
+                "name": "java/xslt-injection",
+                "shortDescription": {
+                  "text": "XSLT transformation with user-controlled stylesheet"
+                },
+                "fullDescription": {
+                  "text": "Performing an XSLT transformation with user-controlled stylesheets can lead to information disclosure or execution of arbitrary code."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# XSLT transformation with user-controlled stylesheet\nXSLT (Extensible Stylesheet Language Transformations) is a language for transforming XML documents into other XML documents or other formats. Processing unvalidated XSLT stylesheets can allow attackers to read arbitrary files from the filesystem or to execute arbitrary code.\n\n\n## Recommendation\nThe general recommendation is to not process untrusted XSLT stylesheets. If user-provided stylesheets must be processed, enable the secure processing mode.\n\n\n## Example\nIn the following examples, the code accepts an XSLT stylesheet from the user and processes it.\n\nIn the first example, the user-provided XSLT stylesheet is parsed and processed.\n\nIn the second example, secure processing mode is enabled.\n\n\n```java\nimport javax.xml.XMLConstants;\nimport javax.xml.transform.TransformerFactory;\nimport javax.xml.transform.stream.StreamResult;\nimport javax.xml.transform.stream.StreamSource;\n\npublic void transform(Socket socket, String inputXml) throws Exception {\n  StreamSource xslt = new StreamSource(socket.getInputStream());\n  StreamSource xml = new StreamSource(new StringReader(inputXml));\n  StringWriter result = new StringWriter();\n  TransformerFactory factory = TransformerFactory.newInstance();\n\n  // BAD: User provided XSLT stylesheet is processed\n  factory.newTransformer(xslt).transform(xml, new StreamResult(result));\n\n  // GOOD: The secure processing mode is enabled\n  factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);\n  factory.newTransformer(xslt).transform(xml, new StreamResult(result));\n}  \n```\n\n## References\n* Wikipedia: [XSLT](https://en.wikipedia.org/wiki/XSLT).\n* The Java Tutorials: [Transforming XML Data with XSLT](https://docs.oracle.com/javase/tutorial/jaxp/xslt/transformingXML.html).\n* [XSLT Injection Basics](https://blog.hunniccyber.com/ektron-cms-remote-code-execution-xslt-transform-injection-java/).\n* Common Weakness Enumeration: [CWE-74](https://cwe.mitre.org/data/definitions/74.html).\n",
+                  "markdown": "# XSLT transformation with user-controlled stylesheet\nXSLT (Extensible Stylesheet Language Transformations) is a language for transforming XML documents into other XML documents or other formats. Processing unvalidated XSLT stylesheets can allow attackers to read arbitrary files from the filesystem or to execute arbitrary code.\n\n\n## Recommendation\nThe general recommendation is to not process untrusted XSLT stylesheets. If user-provided stylesheets must be processed, enable the secure processing mode.\n\n\n## Example\nIn the following examples, the code accepts an XSLT stylesheet from the user and processes it.\n\nIn the first example, the user-provided XSLT stylesheet is parsed and processed.\n\nIn the second example, secure processing mode is enabled.\n\n\n```java\nimport javax.xml.XMLConstants;\nimport javax.xml.transform.TransformerFactory;\nimport javax.xml.transform.stream.StreamResult;\nimport javax.xml.transform.stream.StreamSource;\n\npublic void transform(Socket socket, String inputXml) throws Exception {\n  StreamSource xslt = new StreamSource(socket.getInputStream());\n  StreamSource xml = new StreamSource(new StringReader(inputXml));\n  StringWriter result = new StringWriter();\n  TransformerFactory factory = TransformerFactory.newInstance();\n\n  // BAD: User provided XSLT stylesheet is processed\n  factory.newTransformer(xslt).transform(xml, new StreamResult(result));\n\n  // GOOD: The secure processing mode is enabled\n  factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);\n  factory.newTransformer(xslt).transform(xml, new StreamResult(result));\n}  \n```\n\n## References\n* Wikipedia: [XSLT](https://en.wikipedia.org/wiki/XSLT).\n* The Java Tutorials: [Transforming XML Data with XSLT](https://docs.oracle.com/javase/tutorial/jaxp/xslt/transformingXML.html).\n* [XSLT Injection Basics](https://blog.hunniccyber.com/ektron-cms-remote-code-execution-xslt-transform-injection-java/).\n* Common Weakness Enumeration: [CWE-74](https://cwe.mitre.org/data/definitions/74.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-074",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-074/XsltInjection.ql",
+                  "precision": "high",
+                  "security-severity": "9.8"
+                }
+              },
+              {
+                "id": "java/xss",
+                "name": "java/xss",
+                "shortDescription": {
+                  "text": "Cross-site scripting"
+                },
+                "fullDescription": {
+                  "text": "Writing user input directly to a web page allows for a cross-site scripting vulnerability."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Cross-site scripting\nDirectly writing user input (for example, an HTTP request parameter) to a web page, without properly sanitizing the input first, allows for a cross-site scripting vulnerability.\n\n\n## Recommendation\nTo guard against cross-site scripting, consider using contextual output encoding/escaping before writing user input to the page, or one of the other solutions that are mentioned in the reference.\n\n\n## Example\nThe following example shows the `page` parameter being written directly to the page, leaving the website vulnerable to cross-site scripting.\n\n\n```java\npublic class XSS extends HttpServlet {\n\tprotected void doGet(HttpServletRequest request, HttpServletResponse response)\n\tthrows ServletException, IOException {\n\t\t// BAD: a request parameter is written directly to the Servlet response stream\n\t\tresponse.getWriter().print(\n\t\t\t\t\"The page \\\"\" + request.getParameter(\"page\") + \"\\\" was not found.\");\n\n\t}\n}\n\n```\n\n## References\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n",
+                  "markdown": "# Cross-site scripting\nDirectly writing user input (for example, an HTTP request parameter) to a web page, without properly sanitizing the input first, allows for a cross-site scripting vulnerability.\n\n\n## Recommendation\nTo guard against cross-site scripting, consider using contextual output encoding/escaping before writing user input to the page, or one of the other solutions that are mentioned in the reference.\n\n\n## Example\nThe following example shows the `page` parameter being written directly to the page, leaving the website vulnerable to cross-site scripting.\n\n\n```java\npublic class XSS extends HttpServlet {\n\tprotected void doGet(HttpServletRequest request, HttpServletResponse response)\n\tthrows ServletException, IOException {\n\t\t// BAD: a request parameter is written directly to the Servlet response stream\n\t\tresponse.getWriter().print(\n\t\t\t\t\"The page \\\"\" + request.getParameter(\"page\") + \"\\\" was not found.\");\n\n\t}\n}\n\n```\n\n## References\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-079",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-079/XSS.ql",
+                  "precision": "high",
+                  "security-severity": "6.1"
+                }
+              },
+              {
+                "id": "java/xxe",
+                "name": "java/xxe",
+                "shortDescription": {
+                  "text": "Resolving XML external entity in user-controlled data"
+                },
+                "fullDescription": {
+                  "text": "Parsing user-controlled XML documents and allowing expansion of external entity references may lead to disclosure of confidential data or denial of service."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Resolving XML external entity in user-controlled data\nParsing untrusted XML files with a weakly configured XML parser may lead to an XML External Entity (XXE) attack. This type of attack uses external entity references to access arbitrary files on a system, carry out denial of service, or server side request forgery. Even when the result of parsing is not returned to the user, out-of-band data retrieval techniques may allow attackers to steal sensitive data. Denial of services can also be carried out in this situation.\n\nThere are many XML parsers for Java, and most of them are vulnerable to XXE because their default settings enable parsing of external entities. This query currently identifies vulnerable XML parsing from the following parsers: `javax.xml.parsers.DocumentBuilder`, `javax.xml.stream.XMLStreamReader`, `org.jdom.input.SAXBuilder`/`org.jdom2.input.SAXBuilder`, `javax.xml.parsers.SAXParser`,`org.dom4j.io.SAXReader`, `org.xml.sax.XMLReader`, `javax.xml.transform.sax.SAXSource`, `javax.xml.transform.TransformerFactory`, `javax.xml.transform.sax.SAXTransformerFactory`, `javax.xml.validation.SchemaFactory`, `javax.xml.bind.Unmarshaller` and `javax.xml.xpath.XPathExpression`.\n\n\n## Recommendation\nThe best way to prevent XXE attacks is to disable the parsing of any Document Type Declarations (DTDs) in untrusted data. If this is not possible you should disable the parsing of external general entities and external parameter entities. This improves security but the code will still be at risk of denial of service and server side request forgery attacks. Protection against denial of service attacks may also be implemented by setting entity expansion limits, which is done by default in recent JDK and JRE implementations. We recommend visiting OWASP's [XML Entity Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#java), finding the specific XML parser, and applying the mitigation listed there. Other mitigations might be sufficient in some cases, but manual verification will be needed, as the query will continue to flag the parser as potentially dangerous.\n\n\n## Example\nThe following example calls `parse` on a `DocumentBuilder` that is not safely configured on untrusted data, and is therefore inherently unsafe.\n\n\n```java\npublic void parse(Socket sock) throws Exception {\n  DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();\n  DocumentBuilder builder = factory.newDocumentBuilder();\n  builder.parse(sock.getInputStream()); //unsafe\n}\n\n```\nIn this example, the `DocumentBuilder` is created with DTD disabled, securing it against XXE attack.\n\n\n```java\npublic void disableDTDParse(Socket sock) throws Exception {\n  DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();\n  factory.setFeature(\"http://apache.org/xml/features/disallow-doctype-decl\", true);\n  DocumentBuilder builder = factory.newDocumentBuilder();\n  builder.parse(sock.getInputStream()); //safe\n}\n\n```\n\n## References\n* OWASP vulnerability description: [XML External Entity (XXE) Processing](https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing).\n* OWASP guidance on parsing xml files: [XXE Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#java).\n* Paper by Timothy Morgen: [XML Schema, DTD, and Entity Attacks](https://research.nccgroup.com/2014/05/19/xml-schema-dtd-and-entity-attacks-a-compendium-of-known-techniques/)\n* Out-of-band data retrieval: Timur Yunusov & Alexey Osipov, Black hat EU 2013: [XML Out-Of-Band Data Retrieval](https://www.slideshare.net/qqlan/bh-ready-v4).\n* Denial of service attack (Billion laughs): [Billion Laughs.](https://en.wikipedia.org/wiki/Billion_laughs)\n* The Java Tutorials: [Processing Limit Definitions.](https://docs.oracle.com/javase/tutorial/jaxp/limits/limits.html)\n* Common Weakness Enumeration: [CWE-611](https://cwe.mitre.org/data/definitions/611.html).\n* Common Weakness Enumeration: [CWE-776](https://cwe.mitre.org/data/definitions/776.html).\n* Common Weakness Enumeration: [CWE-827](https://cwe.mitre.org/data/definitions/827.html).\n",
+                  "markdown": "# Resolving XML external entity in user-controlled data\nParsing untrusted XML files with a weakly configured XML parser may lead to an XML External Entity (XXE) attack. This type of attack uses external entity references to access arbitrary files on a system, carry out denial of service, or server side request forgery. Even when the result of parsing is not returned to the user, out-of-band data retrieval techniques may allow attackers to steal sensitive data. Denial of services can also be carried out in this situation.\n\nThere are many XML parsers for Java, and most of them are vulnerable to XXE because their default settings enable parsing of external entities. This query currently identifies vulnerable XML parsing from the following parsers: `javax.xml.parsers.DocumentBuilder`, `javax.xml.stream.XMLStreamReader`, `org.jdom.input.SAXBuilder`/`org.jdom2.input.SAXBuilder`, `javax.xml.parsers.SAXParser`,`org.dom4j.io.SAXReader`, `org.xml.sax.XMLReader`, `javax.xml.transform.sax.SAXSource`, `javax.xml.transform.TransformerFactory`, `javax.xml.transform.sax.SAXTransformerFactory`, `javax.xml.validation.SchemaFactory`, `javax.xml.bind.Unmarshaller` and `javax.xml.xpath.XPathExpression`.\n\n\n## Recommendation\nThe best way to prevent XXE attacks is to disable the parsing of any Document Type Declarations (DTDs) in untrusted data. If this is not possible you should disable the parsing of external general entities and external parameter entities. This improves security but the code will still be at risk of denial of service and server side request forgery attacks. Protection against denial of service attacks may also be implemented by setting entity expansion limits, which is done by default in recent JDK and JRE implementations. We recommend visiting OWASP's [XML Entity Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#java), finding the specific XML parser, and applying the mitigation listed there. Other mitigations might be sufficient in some cases, but manual verification will be needed, as the query will continue to flag the parser as potentially dangerous.\n\n\n## Example\nThe following example calls `parse` on a `DocumentBuilder` that is not safely configured on untrusted data, and is therefore inherently unsafe.\n\n\n```java\npublic void parse(Socket sock) throws Exception {\n  DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();\n  DocumentBuilder builder = factory.newDocumentBuilder();\n  builder.parse(sock.getInputStream()); //unsafe\n}\n\n```\nIn this example, the `DocumentBuilder` is created with DTD disabled, securing it against XXE attack.\n\n\n```java\npublic void disableDTDParse(Socket sock) throws Exception {\n  DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();\n  factory.setFeature(\"http://apache.org/xml/features/disallow-doctype-decl\", true);\n  DocumentBuilder builder = factory.newDocumentBuilder();\n  builder.parse(sock.getInputStream()); //safe\n}\n\n```\n\n## References\n* OWASP vulnerability description: [XML External Entity (XXE) Processing](https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing).\n* OWASP guidance on parsing xml files: [XXE Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#java).\n* Paper by Timothy Morgen: [XML Schema, DTD, and Entity Attacks](https://research.nccgroup.com/2014/05/19/xml-schema-dtd-and-entity-attacks-a-compendium-of-known-techniques/)\n* Out-of-band data retrieval: Timur Yunusov & Alexey Osipov, Black hat EU 2013: [XML Out-Of-Band Data Retrieval](https://www.slideshare.net/qqlan/bh-ready-v4).\n* Denial of service attack (Billion laughs): [Billion Laughs.](https://en.wikipedia.org/wiki/Billion_laughs)\n* The Java Tutorials: [Processing Limit Definitions.](https://docs.oracle.com/javase/tutorial/jaxp/limits/limits.html)\n* Common Weakness Enumeration: [CWE-611](https://cwe.mitre.org/data/definitions/611.html).\n* Common Weakness Enumeration: [CWE-776](https://cwe.mitre.org/data/definitions/776.html).\n* Common Weakness Enumeration: [CWE-827](https://cwe.mitre.org/data/definitions/827.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-611",
+                    "external/cwe/cwe-776",
+                    "external/cwe/cwe-827",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-611/XXE.ql",
+                  "precision": "high",
+                  "security-severity": "9.1"
+                }
+              },
+              {
+                "id": "java/zipslip",
+                "name": "java/zipslip",
+                "shortDescription": {
+                  "text": "Arbitrary file access during archive extraction (\"Zip Slip\")"
+                },
+                "fullDescription": {
+                  "text": "Extracting files from a malicious ZIP file, or similar type of archive, without validating that the destination file path is within the destination directory can allow an attacker to unexpectedly gain access to resources."
+                },
+                "defaultConfiguration": {
+                  "level": "error"
+                },
+                "help": {
+                  "text": "# Arbitrary file access during archive extraction (\"Zip Slip\")\nExtracting files from a malicious zip file, or similar type of archive, is at risk of directory traversal attacks if filenames from the archive are not properly validated.\n\nZip archives contain archive entries representing each file in the archive. These entries include a file path for the entry, but these file paths are not restricted and may contain unexpected special elements such as the directory traversal element (`..`). If these file paths are used to create a filesystem path, then a file operation may happen in an unexpected location. This can result in sensitive information being revealed or deleted, or an attacker being able to influence behavior by modifying unexpected files.\n\nFor example, if a zip file contains a file entry `..\\sneaky-file`, and the zip file is extracted to the directory `c:\\output`, then naively combining the paths would result in an output file path of `c:\\output\\..\\sneaky-file`, which would cause the file to be written to `c:\\sneaky-file`.\n\n\n## Recommendation\nEnsure that output paths constructed from zip archive entries are validated to prevent writing files to unexpected locations.\n\nThe recommended way of writing an output file from a zip archive entry is to verify that the normalized full path of the output file starts with a prefix that matches the destination directory. Path normalization can be done with either `java.io.File.getCanonicalFile()` or `java.nio.file.Path.normalize()`. Prefix checking can be done with `String.startsWith(..)`, but it is better to use `java.nio.file.Path.startsWith(..)`, as the latter works on complete path segments.\n\nAnother alternative is to validate archive entries against a whitelist of expected files.\n\n\n## Example\nIn this example, a file path taken from a zip archive item entry is combined with a destination directory. The result is used as the destination file path without verifying that the result is within the destination directory. If provided with a zip file containing an archive path like `..\\sneaky-file`, then this file would be written outside the destination directory.\n\n\n```java\nvoid writeZipEntry(ZipEntry entry, File destinationDir) {\n    File file = new File(destinationDir, entry.getName());\n    FileOutputStream fos = new FileOutputStream(file); // BAD\n    // ... write entry to fos ...\n}\n\n```\nTo fix this vulnerability, we need to verify that the normalized `file` still has `destinationDir` as its prefix, and throw an exception if this is not the case.\n\n\n```java\nvoid writeZipEntry(ZipEntry entry, File destinationDir) {\n    File file = new File(destinationDir, entry.getName());\n    if (!file.toPath().normalize().startsWith(destinationDir.toPath()))\n        throw new Exception(\"Bad zip entry\");\n    FileOutputStream fos = new FileOutputStream(file); // OK\n    // ... write entry to fos ...\n}\n\n```\n\n## References\n* Snyk: [Zip Slip Vulnerability](https://snyk.io/research/zip-slip-vulnerability).\n* OWASP: [Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal).\n* Common Weakness Enumeration: [CWE-22](https://cwe.mitre.org/data/definitions/22.html).\n",
+                  "markdown": "# Arbitrary file access during archive extraction (\"Zip Slip\")\nExtracting files from a malicious zip file, or similar type of archive, is at risk of directory traversal attacks if filenames from the archive are not properly validated.\n\nZip archives contain archive entries representing each file in the archive. These entries include a file path for the entry, but these file paths are not restricted and may contain unexpected special elements such as the directory traversal element (`..`). If these file paths are used to create a filesystem path, then a file operation may happen in an unexpected location. This can result in sensitive information being revealed or deleted, or an attacker being able to influence behavior by modifying unexpected files.\n\nFor example, if a zip file contains a file entry `..\\sneaky-file`, and the zip file is extracted to the directory `c:\\output`, then naively combining the paths would result in an output file path of `c:\\output\\..\\sneaky-file`, which would cause the file to be written to `c:\\sneaky-file`.\n\n\n## Recommendation\nEnsure that output paths constructed from zip archive entries are validated to prevent writing files to unexpected locations.\n\nThe recommended way of writing an output file from a zip archive entry is to verify that the normalized full path of the output file starts with a prefix that matches the destination directory. Path normalization can be done with either `java.io.File.getCanonicalFile()` or `java.nio.file.Path.normalize()`. Prefix checking can be done with `String.startsWith(..)`, but it is better to use `java.nio.file.Path.startsWith(..)`, as the latter works on complete path segments.\n\nAnother alternative is to validate archive entries against a whitelist of expected files.\n\n\n## Example\nIn this example, a file path taken from a zip archive item entry is combined with a destination directory. The result is used as the destination file path without verifying that the result is within the destination directory. If provided with a zip file containing an archive path like `..\\sneaky-file`, then this file would be written outside the destination directory.\n\n\n```java\nvoid writeZipEntry(ZipEntry entry, File destinationDir) {\n    File file = new File(destinationDir, entry.getName());\n    FileOutputStream fos = new FileOutputStream(file); // BAD\n    // ... write entry to fos ...\n}\n\n```\nTo fix this vulnerability, we need to verify that the normalized `file` still has `destinationDir` as its prefix, and throw an exception if this is not the case.\n\n\n```java\nvoid writeZipEntry(ZipEntry entry, File destinationDir) {\n    File file = new File(destinationDir, entry.getName());\n    if (!file.toPath().normalize().startsWith(destinationDir.toPath()))\n        throw new Exception(\"Bad zip entry\");\n    FileOutputStream fos = new FileOutputStream(file); // OK\n    // ... write entry to fos ...\n}\n\n```\n\n## References\n* Snyk: [Zip Slip Vulnerability](https://snyk.io/research/zip-slip-vulnerability).\n* OWASP: [Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal).\n* Common Weakness Enumeration: [CWE-22](https://cwe.mitre.org/data/definitions/22.html).\n"
+                },
+                "properties": {
+                  "tags": [
+                    "external/cwe/cwe-022",
+                    "security"
+                  ],
+                  "queryURI": "https://github.com/github/codeql/blob/39a67b6e2e6490a9bd010db50e148f647765e9f7/java/ql/src/Security/CWE/CWE-022/ZipSlip.ql",
+                  "precision": "high",
+                  "security-severity": "7.5"
+                }
+              }
+            ]
+          },
+          {
+            "name": "codeql/java-all",
+            "semanticVersion": "4.2.0+39a67b6e2e6490a9bd010db50e148f647765e9f7"
+          },
+          {
+            "name": "codeql/threat-models",
+            "semanticVersion": "1.0.11+39a67b6e2e6490a9bd010db50e148f647765e9f7"
+          }
+        ]
+      },
+      "conversion": {
+        "tool": {
+          "driver": {
+            "name": "GitHub Code Scanning"
+          }
+        }
+      },
+      "versionControlProvenance": [
+        {
+          "repositoryUri": "https://github.com/hintwatermelon/roller",
+          "revisionId": "46cdd370714647a468f6ce422adde3d5e8323375",
+          "branch": "refs/heads/master"
+        }
+      ],
+      "artifacts": [
+        {
+          "location": {
+            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/FolderEdit.java",
+            "index": 0
+          }
+        },
+        {
+          "location": {
+            "uri": "app/src/main/java/org/apache/roller/weblogger/webservices/oauth/AuthorizationServlet.java",
+            "index": 1
+          }
+        },
+        {
+          "location": {
+            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+            "index": 2
+          }
+        },
+        {
+          "location": {
+            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+            "index": 3
+          }
+        },
+        {
+          "location": {
+            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+            "index": 4
+          }
+        },
+        {
+          "location": {
+            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+            "index": 5
+          }
+        },
+        {
+          "location": {
+            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java",
+            "index": 6
+          }
+        },
+        {
+          "location": {
+            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+            "index": 7
+          }
+        },
+        {
+          "location": {
+            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+            "index": 8
+          }
+        },
+        {
+          "location": {
+            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+            "index": 9
+          }
+        },
+        {
+          "location": {
+            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+            "index": 10
+          }
+        },
+        {
+          "location": {
+            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+            "index": 11
+          }
+        },
+        {
+          "location": {
+            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java",
+            "index": 12
+          }
+        },
+        {
+          "location": {
+            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+            "index": 13
+          }
+        },
+        {
+          "location": {
+            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+            "index": 14
+          }
+        },
+        {
+          "location": {
+            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/rendering/servlets/CommentAuthenticatorServlet.java",
+            "index": 15
+          }
+        },
+        {
+          "location": {
+            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/rendering/plugins/comments/LdapCommentAuthenticator.java",
+            "index": 16
+          }
+        },
+        {
+          "location": {
+            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarksImport.java",
+            "index": 17
+          }
+        },
+        {
+          "location": {
+            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/MediaFileAdd.java",
+            "index": 18
+          }
+        },
+        {
+          "location": {
+            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/MediaFileEdit.java",
+            "index": 19
+          }
+        },
+        {
+          "location": {
+            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+            "index": 20
+          }
+        },
+        {
+          "location": {
+            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+            "index": 21
+          }
+        },
+        {
+          "location": {
+            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+            "index": 22
+          }
+        },
+        {
+          "location": {
+            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+            "index": 23
+          }
+        },
+        {
+          "location": {
+            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+            "index": 24
+          }
+        },
+        {
+          "location": {
+            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+            "index": 25
+          }
+        },
+        {
+          "location": {
+            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/CreateUserBean.java",
+            "index": 26
+          }
+        },
+        {
+          "location": {
+            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkEdit.java",
+            "index": 27
+          }
+        },
+        {
+          "location": {
+            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkBean.java",
+            "index": 28
+          }
+        },
+        {
+          "location": {
+            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogBookmark.java",
+            "index": 29
+          }
+        },
+        {
+          "location": {
+            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+            "index": 30
+          }
+        },
+        {
+          "location": {
+            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/PluginManagerImpl.java",
+            "index": 31
+          }
+        },
+        {
+          "location": {
+            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Bannedwordslist.java",
+            "index": 32
+          }
+        },
+        {
+          "location": {
+            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/WeblogConfig.java",
+            "index": 33
+          }
+        },
+        {
+          "location": {
+            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/WeblogConfigBean.java",
+            "index": 34
+          }
+        },
+        {
+          "location": {
+            "uri": "app/src/main/java/org/apache/roller/planet/business/fetcher/RomeFeedFetcher.java",
+            "index": 35
+          }
+        },
+        {
+          "location": {
+            "uri": "app/src/main/java/org/apache/roller/weblogger/planet/ui/PlanetGroupSubs.java",
+            "index": 36
+          }
+        },
+        {
+          "location": {
+            "uri": "app/src/main/java/org/apache/roller/weblogger/planet/business/WebloggerRomeFeedFetcher.java",
+            "index": 37
+          }
+        },
+        {
+          "location": {
+            "uri": "app/src/main/java/org/apache/roller/weblogger/util/MediacastUtil.java",
+            "index": 38
+          }
+        },
+        {
+          "location": {
+            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryBean.java",
+            "index": 39
+          }
+        },
+        {
+          "location": {
+            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/rendering/servlets/TrackbackServlet.java",
+            "index": 40
+          }
+        }
+      ],
+      "results": [
+        {
+          "ruleId": "java/http-response-splitting",
+          "rule": {
+            "id": "java/http-response-splitting",
+            "index": 15,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "level": "error",
+          "message": {
+            "text": "This header depends on a [user-provided value](1), which may cause a response-splitting vulnerability."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/FolderEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 133,
+                  "startColumn": 59,
+                  "endLine": 133,
+                  "endColumn": 76
+                }
+              }
+            }
+          ],
+          "correlationGuid": "aa4c5176-3f0c-485c-9bdc-1c9cd2023d09",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "a43352b656264e63:1"
+          },
+          "codeFlows": [
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/FolderEdit.java",
+                            "index": 0
+                          },
+                          "region": {
+                            "startLine": 49,
+                            "startColumn": 20,
+                            "endLine": 49,
+                            "endColumn": 28
+                          }
+                        },
+                        "message": {
+                          "text": "folderId : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/FolderEdit.java",
+                            "index": 0
+                          },
+                          "region": {
+                            "startLine": 131,
+                            "startColumn": 44,
+                            "endLine": 131,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "folderId : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/FolderEdit.java",
+                            "index": 0
+                          },
+                          "region": {
+                            "startLine": 131,
+                            "startColumn": 44,
+                            "endLine": 131,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "replace(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/FolderEdit.java",
+                            "index": 0
+                          },
+                          "region": {
+                            "startLine": 131,
+                            "startColumn": 44,
+                            "endLine": 131,
+                            "endColumn": 88
+                          }
+                        },
+                        "message": {
+                          "text": "replace(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/FolderEdit.java",
+                            "index": 0
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 59,
+                            "endLine": 133,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "sanetizedFolderID"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/FolderEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 49,
+                  "startColumn": 20,
+                  "endLine": 49,
+                  "endColumn": 28
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/8",
+            "github/alertNumber": 8
+          }
+        },
+        {
+          "ruleId": "java/http-response-splitting",
+          "rule": {
+            "id": "java/http-response-splitting",
+            "index": 15,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "level": "error",
+          "message": {
+            "text": "This header depends on a [user-provided value](1), which may cause a response-splitting vulnerability."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/webservices/oauth/AuthorizationServlet.java",
+                  "index": 1
+                },
+                "region": {
+                  "startLine": 155,
+                  "startColumn": 44,
+                  "endLine": 155,
+                  "endColumn": 52
+                }
+              }
+            }
+          ],
+          "correlationGuid": "9a544acb-9e25-40b7-84ea-6f48b454f3fb",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "41fbc440cf27dfd0:1"
+          },
+          "codeFlows": [
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/webservices/oauth/AuthorizationServlet.java",
+                            "index": 1
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 27,
+                            "endLine": 127,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "getParameter(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/webservices/oauth/AuthorizationServlet.java",
+                            "index": 1
+                          },
+                          "region": {
+                            "startLine": 155,
+                            "startColumn": 44,
+                            "endLine": 155,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "callback"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/webservices/oauth/AuthorizationServlet.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 127,
+                  "startColumn": 27,
+                  "endLine": 127,
+                  "endColumn": 65
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/9",
+            "github/alertNumber": 9
+          }
+        },
+        {
+          "ruleId": "java/insecure-randomness",
+          "rule": {
+            "id": "java/insecure-randomness",
+            "index": 22,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "message": {
+            "text": "Potential Insecure randomness due to a [Insecure randomness source.](1).\nPotential Insecure randomness due to a [Insecure randomness source.](2)."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                  "index": 2
+                },
+                "region": {
+                  "startLine": 121,
+                  "startColumn": 36,
+                  "endLine": 121,
+                  "endColumn": 47
+                }
+              }
+            }
+          ],
+          "correlationGuid": "bd7483e8-25f4-41a7-bc67-785e5ccb280d",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "ebe2869d4f29cd7e:1"
+          },
+          "codeFlows": [
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                            "index": 3
+                          },
+                          "region": {
+                            "startLine": 161,
+                            "startColumn": 39,
+                            "endLine": 161,
+                            "endColumn": 80
+                          }
+                        },
+                        "message": {
+                          "text": "randomAlphanumeric(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                            "index": 3
+                          },
+                          "region": {
+                            "startLine": 162,
+                            "startColumn": 36,
+                            "endLine": 162,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "randomString : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 31,
+                            "endLine": 119,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "newPassword : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 121,
+                            "startColumn": 36,
+                            "endLine": 121,
+                            "endColumn": 47
+                          }
+                        },
+                        "message": {
+                          "text": "newPassword"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                            "index": 4
+                          },
+                          "region": {
+                            "startLine": 110,
+                            "startColumn": 39,
+                            "endLine": 110,
+                            "endColumn": 80
+                          }
+                        },
+                        "message": {
+                          "text": "randomAlphanumeric(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                            "index": 4
+                          },
+                          "region": {
+                            "startLine": 111,
+                            "startColumn": 44,
+                            "endLine": 111,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "randomString : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 31,
+                            "endLine": 119,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "newPassword : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 121,
+                            "startColumn": 36,
+                            "endLine": 121,
+                            "endColumn": 47
+                          }
+                        },
+                        "message": {
+                          "text": "newPassword"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 161,
+                  "startColumn": 39,
+                  "endLine": 161,
+                  "endColumn": 80
+                }
+              },
+              "message": {
+                "text": "Insecure randomness source."
+              }
+            },
+            {
+              "id": 2,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 110,
+                  "startColumn": 39,
+                  "endLine": 110,
+                  "endColumn": 80
+                }
+              },
+              "message": {
+                "text": "Insecure randomness source."
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/10",
+            "github/alertNumber": 10
+          }
+        },
+        {
+          "ruleId": "java/insecure-randomness",
+          "rule": {
+            "id": "java/insecure-randomness",
+            "index": 22,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "message": {
+            "text": "Potential Insecure randomness due to a [Insecure randomness source.](1)."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                  "index": 5
+                },
+                "region": {
+                  "startLine": 122,
+                  "startColumn": 29,
+                  "endLine": 122,
+                  "endColumn": 41
+                }
+              }
+            }
+          ],
+          "correlationGuid": "42e549d2-c275-4945-bf40-d6bebb689d9d",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "a706f813f09b282d:1"
+          },
+          "codeFlows": [
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java",
+                            "index": 6
+                          },
+                          "region": {
+                            "startLine": 370,
+                            "startColumn": 35,
+                            "endLine": 370,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "randomAlphanumeric(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java",
+                            "index": 6
+                          },
+                          "region": {
+                            "startLine": 371,
+                            "startColumn": 39,
+                            "endLine": 371,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "randomString : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                            "index": 5
+                          },
+                          "region": {
+                            "startLine": 121,
+                            "startColumn": 33,
+                            "endLine": 121,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "passwordText : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                            "index": 5
+                          },
+                          "region": {
+                            "startLine": 122,
+                            "startColumn": 29,
+                            "endLine": 122,
+                            "endColumn": 41
+                          }
+                        },
+                        "message": {
+                          "text": "passwordText"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 370,
+                  "startColumn": 35,
+                  "endLine": 370,
+                  "endColumn": 76
+                }
+              },
+              "message": {
+                "text": "Insecure randomness source."
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/11",
+            "github/alertNumber": 11
+          }
+        },
+        {
+          "ruleId": "java/insecure-randomness",
+          "rule": {
+            "id": "java/insecure-randomness",
+            "index": 22,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "message": {
+            "text": "Potential Insecure randomness due to a [Insecure randomness source.](1)."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                  "index": 5
+                },
+                "region": {
+                  "startLine": 130,
+                  "startColumn": 32,
+                  "endLine": 130,
+                  "endColumn": 47
+                }
+              }
+            }
+          ],
+          "correlationGuid": "d090be49-7c07-4548-be1c-d6a277e20f2e",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "a7e8967f80765bad:1"
+          },
+          "codeFlows": [
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java",
+                            "index": 6
+                          },
+                          "region": {
+                            "startLine": 370,
+                            "startColumn": 35,
+                            "endLine": 370,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "randomAlphanumeric(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java",
+                            "index": 6
+                          },
+                          "region": {
+                            "startLine": 372,
+                            "startColumn": 42,
+                            "endLine": 372,
+                            "endColumn": 54
+                          }
+                        },
+                        "message": {
+                          "text": "randomString : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                            "index": 5
+                          },
+                          "region": {
+                            "startLine": 129,
+                            "startColumn": 36,
+                            "endLine": 129,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "passwordConfirm : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                            "index": 5
+                          },
+                          "region": {
+                            "startLine": 130,
+                            "startColumn": 32,
+                            "endLine": 130,
+                            "endColumn": 47
+                          }
+                        },
+                        "message": {
+                          "text": "passwordConfirm"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 370,
+                  "startColumn": 35,
+                  "endLine": 370,
+                  "endColumn": 76
+                }
+              },
+              "message": {
+                "text": "Insecure randomness source."
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/12",
+            "github/alertNumber": 12
+          }
+        },
+        {
+          "ruleId": "java/unvalidated-url-redirection",
+          "rule": {
+            "id": "java/unvalidated-url-redirection",
+            "index": 66,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "level": "error",
+          "message": {
+            "text": "Untrusted URL redirection depends on a [user-provided value](1)."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/webservices/oauth/AuthorizationServlet.java",
+                  "index": 1
+                },
+                "region": {
+                  "startLine": 155,
+                  "startColumn": 44,
+                  "endLine": 155,
+                  "endColumn": 52
+                }
+              }
+            }
+          ],
+          "correlationGuid": "5bb7aec0-639e-4365-93a7-e41e00f18ec6",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "41fbc440cf27dfd0:1"
+          },
+          "codeFlows": [
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/webservices/oauth/AuthorizationServlet.java",
+                            "index": 1
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 27,
+                            "endLine": 127,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "getParameter(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/webservices/oauth/AuthorizationServlet.java",
+                            "index": 1
+                          },
+                          "region": {
+                            "startLine": 155,
+                            "startColumn": 44,
+                            "endLine": 155,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "callback"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/webservices/oauth/AuthorizationServlet.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 127,
+                  "startColumn": 27,
+                  "endLine": 127,
+                  "endColumn": 65
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/13",
+            "github/alertNumber": 13
+          }
+        },
+        {
+          "ruleId": "java/xss",
+          "rule": {
+            "id": "java/xss",
+            "index": 71,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "level": "error",
+          "message": {
+            "text": "Cross-site scripting vulnerability due to a [user-provided value](1)."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                  "index": 7
+                },
+                "region": {
+                  "startLine": 188,
+                  "startColumn": 26,
+                  "endLine": 190,
+                  "endColumn": 70
+                }
+              }
+            }
+          ],
+          "correlationGuid": "ba9b5766-17b3-4de4-a1b7-79df1e478644",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "cccb6385104d4c00:1"
+          },
+          "codeFlows": [
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "getRequestURL(...) : StringBuffer"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 99,
+                            "startColumn": 118,
+                            "endLine": 99,
+                            "endColumn": 135
+                          }
+                        },
+                        "message": {
+                          "text": "requestURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 116,
+                            "startColumn": 40,
+                            "endLine": 116,
+                            "endColumn": 47
+                          }
+                        },
+                        "message": {
+                          "text": "fullUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 137,
+                            "startColumn": 49,
+                            "endLine": 137,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 141,
+                            "startColumn": 16,
+                            "endLine": 141,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 116,
+                            "startColumn": 20,
+                            "endLine": 116,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "removeTrailingSlash(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 16,
+                            "endLine": 88,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 34,
+                            "endLine": 66,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 69,
+                            "startColumn": 62,
+                            "endLine": 69,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "absPath : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 175,
+                            "startColumn": 46,
+                            "endLine": 175,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 176,
+                            "startColumn": 30,
+                            "endLine": 176,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 51,
+                            "startColumn": 27,
+                            "endLine": 51,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 195,
+                            "startColumn": 16,
+                            "endLine": 195,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 138,
+                            "startColumn": 26,
+                            "endLine": 138,
+                            "endColumn": 72
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteContextURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 138,
+                            "startColumn": 10,
+                            "endLine": 138,
+                            "endColumn": 18
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 181,
+                            "startColumn": 16,
+                            "endLine": 181,
+                            "endColumn": 24
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 181,
+                            "startColumn": 16,
+                            "endLine": 181,
+                            "endColumn": 68
+                          }
+                        },
+                        "message": {
+                          "text": "append(...) : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 181,
+                            "startColumn": 16,
+                            "endLine": 181,
+                            "endColumn": 79
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 166,
+                            "startColumn": 23,
+                            "endLine": 166,
+                            "endColumn": 144
+                          }
+                        },
+                        "message": {
+                          "text": "getWeblogCollectionURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 171,
+                            "startColumn": 16,
+                            "endLine": 171,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java",
+                            "index": 12
+                          },
+                          "region": {
+                            "startLine": 311,
+                            "startColumn": 16,
+                            "endLine": 311,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "computeUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 188,
+                            "startColumn": 41,
+                            "endLine": 188,
+                            "endColumn": 68
+                          }
+                        },
+                        "message": {
+                          "text": "computePrevMonthUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 188,
+                            "startColumn": 26,
+                            "endLine": 190,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "... + ..."
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "getRequestURL(...) : StringBuffer"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 99,
+                            "startColumn": 118,
+                            "endLine": 99,
+                            "endColumn": 135
+                          }
+                        },
+                        "message": {
+                          "text": "requestURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 125,
+                            "startColumn": 19,
+                            "endLine": 125,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "fullUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 125,
+                            "startColumn": 19,
+                            "endLine": 125,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 36,
+                            "endLine": 134,
+                            "endColumn": 39
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 137,
+                            "startColumn": 49,
+                            "endLine": 137,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 139,
+                            "startColumn": 20,
+                            "endLine": 139,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 139,
+                            "startColumn": 20,
+                            "endLine": 139,
+                            "endColumn": 54
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 16,
+                            "endLine": 134,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "removeTrailingSlash(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 16,
+                            "endLine": 88,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 34,
+                            "endLine": 66,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 69,
+                            "startColumn": 62,
+                            "endLine": 69,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "absPath : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 175,
+                            "startColumn": 46,
+                            "endLine": 175,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 176,
+                            "startColumn": 30,
+                            "endLine": 176,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 51,
+                            "startColumn": 27,
+                            "endLine": 51,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 195,
+                            "startColumn": 16,
+                            "endLine": 195,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 207,
+                            "startColumn": 29,
+                            "endLine": 207,
+                            "endColumn": 75
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteContextURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 207,
+                            "startColumn": 13,
+                            "endLine": 207,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 243,
+                            "startColumn": 16,
+                            "endLine": 243,
+                            "endColumn": 24
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 243,
+                            "startColumn": 16,
+                            "endLine": 243,
+                            "endColumn": 68
+                          }
+                        },
+                        "message": {
+                          "text": "append(...) : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 243,
+                            "startColumn": 16,
+                            "endLine": 243,
+                            "endColumn": 79
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java",
+                            "index": 12
+                          },
+                          "region": {
+                            "startLine": 276,
+                            "startColumn": 23,
+                            "endLine": 276,
+                            "endColumn": 154
+                          }
+                        },
+                        "message": {
+                          "text": "getWeblogPageURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java",
+                            "index": 12
+                          },
+                          "region": {
+                            "startLine": 281,
+                            "startColumn": 16,
+                            "endLine": 281,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java",
+                            "index": 12
+                          },
+                          "region": {
+                            "startLine": 311,
+                            "startColumn": 16,
+                            "endLine": 311,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "computeUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 188,
+                            "startColumn": 41,
+                            "endLine": 188,
+                            "endColumn": 68
+                          }
+                        },
+                        "message": {
+                          "text": "computePrevMonthUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 188,
+                            "startColumn": 26,
+                            "endLine": 190,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "... + ..."
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "getRequestURL(...) : StringBuffer"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 99,
+                            "startColumn": 118,
+                            "endLine": 99,
+                            "endColumn": 135
+                          }
+                        },
+                        "message": {
+                          "text": "requestURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 19,
+                            "endLine": 127,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "fullUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 19,
+                            "endLine": 127,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "trim(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 36,
+                            "endLine": 134,
+                            "endColumn": 39
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 137,
+                            "startColumn": 49,
+                            "endLine": 137,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 141,
+                            "startColumn": 16,
+                            "endLine": 141,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 16,
+                            "endLine": 134,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "removeTrailingSlash(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 16,
+                            "endLine": 88,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 34,
+                            "endLine": 66,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 69,
+                            "startColumn": 62,
+                            "endLine": 69,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "absPath : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 175,
+                            "startColumn": 46,
+                            "endLine": 175,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 176,
+                            "startColumn": 30,
+                            "endLine": 176,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 51,
+                            "startColumn": 27,
+                            "endLine": 51,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 195,
+                            "startColumn": 16,
+                            "endLine": 195,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 63,
+                            "startColumn": 28,
+                            "endLine": 63,
+                            "endColumn": 74
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteContextURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 63,
+                            "startColumn": 17,
+                            "endLine": 63,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "url [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 16,
+                            "endLine": 75,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 16,
+                            "endLine": 75,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 182,
+                            "startColumn": 25,
+                            "endLine": 182,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "getWeblogURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 182,
+                            "startColumn": 9,
+                            "endLine": 182,
+                            "endColumn": 17
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 212,
+                            "startColumn": 16,
+                            "endLine": 212,
+                            "endColumn": 24
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 212,
+                            "startColumn": 16,
+                            "endLine": 212,
+                            "endColumn": 68
+                          }
+                        },
+                        "message": {
+                          "text": "append(...) : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 212,
+                            "startColumn": 16,
+                            "endLine": 212,
+                            "endColumn": 79
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java",
+                            "index": 12
+                          },
+                          "region": {
+                            "startLine": 273,
+                            "startColumn": 23,
+                            "endLine": 273,
+                            "endColumn": 144
+                          }
+                        },
+                        "message": {
+                          "text": "getWeblogCollectionURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java",
+                            "index": 12
+                          },
+                          "region": {
+                            "startLine": 281,
+                            "startColumn": 16,
+                            "endLine": 281,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java",
+                            "index": 12
+                          },
+                          "region": {
+                            "startLine": 311,
+                            "startColumn": 16,
+                            "endLine": 311,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "computeUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 188,
+                            "startColumn": 41,
+                            "endLine": 188,
+                            "endColumn": 68
+                          }
+                        },
+                        "message": {
+                          "text": "computePrevMonthUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 188,
+                            "startColumn": 26,
+                            "endLine": 190,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "... + ..."
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "getRequestURL(...) : StringBuffer"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 99,
+                            "startColumn": 118,
+                            "endLine": 99,
+                            "endColumn": 135
+                          }
+                        },
+                        "message": {
+                          "text": "requestURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 116,
+                            "startColumn": 40,
+                            "endLine": 116,
+                            "endColumn": 47
+                          }
+                        },
+                        "message": {
+                          "text": "fullUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 137,
+                            "startColumn": 49,
+                            "endLine": 137,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 141,
+                            "startColumn": 16,
+                            "endLine": 141,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 116,
+                            "startColumn": 20,
+                            "endLine": 116,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "removeTrailingSlash(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 16,
+                            "endLine": 88,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 34,
+                            "endLine": 66,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 69,
+                            "startColumn": 62,
+                            "endLine": 69,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "absPath : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 175,
+                            "startColumn": 46,
+                            "endLine": 175,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 176,
+                            "startColumn": 30,
+                            "endLine": 176,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 51,
+                            "startColumn": 27,
+                            "endLine": 51,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 195,
+                            "startColumn": 16,
+                            "endLine": 195,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 24,
+                            "endLine": 58,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteContextURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 13,
+                            "endLine": 58,
+                            "endColumn": 16
+                          }
+                        },
+                        "message": {
+                          "text": "url [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 74,
+                            "startColumn": 16,
+                            "endLine": 74,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 74,
+                            "startColumn": 16,
+                            "endLine": 74,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "append(...) : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 74,
+                            "startColumn": 16,
+                            "endLine": 74,
+                            "endColumn": 74
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 237,
+                            "startColumn": 25,
+                            "endLine": 237,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "getWeblogURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 237,
+                            "startColumn": 9,
+                            "endLine": 237,
+                            "endColumn": 17
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 260,
+                            "startColumn": 16,
+                            "endLine": 260,
+                            "endColumn": 24
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 260,
+                            "startColumn": 16,
+                            "endLine": 260,
+                            "endColumn": 68
+                          }
+                        },
+                        "message": {
+                          "text": "append(...) : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 260,
+                            "startColumn": 16,
+                            "endLine": 260,
+                            "endColumn": 79
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 163,
+                            "startColumn": 23,
+                            "endLine": 163,
+                            "endColumn": 154
+                          }
+                        },
+                        "message": {
+                          "text": "getWeblogPageURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 171,
+                            "startColumn": 16,
+                            "endLine": 171,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java",
+                            "index": 12
+                          },
+                          "region": {
+                            "startLine": 311,
+                            "startColumn": 16,
+                            "endLine": 311,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "computeUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 188,
+                            "startColumn": 41,
+                            "endLine": 188,
+                            "endColumn": 68
+                          }
+                        },
+                        "message": {
+                          "text": "computePrevMonthUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 188,
+                            "startColumn": 26,
+                            "endLine": 190,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "... + ..."
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 88,
+                  "startColumn": 42,
+                  "endLine": 88,
+                  "endColumn": 65
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/14",
+            "github/alertNumber": 14
+          }
+        },
+        {
+          "ruleId": "java/xss",
+          "rule": {
+            "id": "java/xss",
+            "index": 71,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "level": "error",
+          "message": {
+            "text": "Cross-site scripting vulnerability due to a [user-provided value](1)."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                  "index": 7
+                },
+                "region": {
+                  "startLine": 194,
+                  "startColumn": 26,
+                  "endLine": 196,
+                  "endColumn": 61
+                }
+              }
+            }
+          ],
+          "correlationGuid": "6ef05652-94ad-44b8-8e9c-f77e493a8e2d",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "df1362749a3e519c:1"
+          },
+          "codeFlows": [
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "getRequestURL(...) : StringBuffer"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 99,
+                            "startColumn": 118,
+                            "endLine": 99,
+                            "endColumn": 135
+                          }
+                        },
+                        "message": {
+                          "text": "requestURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 116,
+                            "startColumn": 40,
+                            "endLine": 116,
+                            "endColumn": 47
+                          }
+                        },
+                        "message": {
+                          "text": "fullUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 137,
+                            "startColumn": 49,
+                            "endLine": 137,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 141,
+                            "startColumn": 16,
+                            "endLine": 141,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 116,
+                            "startColumn": 20,
+                            "endLine": 116,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "removeTrailingSlash(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 16,
+                            "endLine": 88,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 34,
+                            "endLine": 66,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 69,
+                            "startColumn": 62,
+                            "endLine": 69,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "absPath : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 175,
+                            "startColumn": 46,
+                            "endLine": 175,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 176,
+                            "startColumn": 30,
+                            "endLine": 176,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 51,
+                            "startColumn": 27,
+                            "endLine": 51,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 195,
+                            "startColumn": 16,
+                            "endLine": 195,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 138,
+                            "startColumn": 26,
+                            "endLine": 138,
+                            "endColumn": 72
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteContextURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 138,
+                            "startColumn": 10,
+                            "endLine": 138,
+                            "endColumn": 18
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 181,
+                            "startColumn": 16,
+                            "endLine": 181,
+                            "endColumn": 24
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 181,
+                            "startColumn": 16,
+                            "endLine": 181,
+                            "endColumn": 68
+                          }
+                        },
+                        "message": {
+                          "text": "append(...) : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 181,
+                            "startColumn": 16,
+                            "endLine": 181,
+                            "endColumn": 79
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 166,
+                            "startColumn": 23,
+                            "endLine": 166,
+                            "endColumn": 144
+                          }
+                        },
+                        "message": {
+                          "text": "getWeblogCollectionURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 171,
+                            "startColumn": 16,
+                            "endLine": 171,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java",
+                            "index": 12
+                          },
+                          "region": {
+                            "startLine": 306,
+                            "startColumn": 16,
+                            "endLine": 306,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "computeUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 194,
+                            "startColumn": 42,
+                            "endLine": 194,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "computeNextMonthUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 194,
+                            "startColumn": 26,
+                            "endLine": 196,
+                            "endColumn": 61
+                          }
+                        },
+                        "message": {
+                          "text": "... + ..."
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "getRequestURL(...) : StringBuffer"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 99,
+                            "startColumn": 118,
+                            "endLine": 99,
+                            "endColumn": 135
+                          }
+                        },
+                        "message": {
+                          "text": "requestURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 125,
+                            "startColumn": 19,
+                            "endLine": 125,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "fullUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 125,
+                            "startColumn": 19,
+                            "endLine": 125,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 36,
+                            "endLine": 134,
+                            "endColumn": 39
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 137,
+                            "startColumn": 49,
+                            "endLine": 137,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 139,
+                            "startColumn": 20,
+                            "endLine": 139,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 139,
+                            "startColumn": 20,
+                            "endLine": 139,
+                            "endColumn": 54
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 16,
+                            "endLine": 134,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "removeTrailingSlash(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 16,
+                            "endLine": 88,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 34,
+                            "endLine": 66,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 69,
+                            "startColumn": 62,
+                            "endLine": 69,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "absPath : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 175,
+                            "startColumn": 46,
+                            "endLine": 175,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 176,
+                            "startColumn": 30,
+                            "endLine": 176,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 51,
+                            "startColumn": 27,
+                            "endLine": 51,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 195,
+                            "startColumn": 16,
+                            "endLine": 195,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 207,
+                            "startColumn": 29,
+                            "endLine": 207,
+                            "endColumn": 75
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteContextURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 207,
+                            "startColumn": 13,
+                            "endLine": 207,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 243,
+                            "startColumn": 16,
+                            "endLine": 243,
+                            "endColumn": 24
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 243,
+                            "startColumn": 16,
+                            "endLine": 243,
+                            "endColumn": 68
+                          }
+                        },
+                        "message": {
+                          "text": "append(...) : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 243,
+                            "startColumn": 16,
+                            "endLine": 243,
+                            "endColumn": 79
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java",
+                            "index": 12
+                          },
+                          "region": {
+                            "startLine": 276,
+                            "startColumn": 23,
+                            "endLine": 276,
+                            "endColumn": 154
+                          }
+                        },
+                        "message": {
+                          "text": "getWeblogPageURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java",
+                            "index": 12
+                          },
+                          "region": {
+                            "startLine": 281,
+                            "startColumn": 16,
+                            "endLine": 281,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java",
+                            "index": 12
+                          },
+                          "region": {
+                            "startLine": 306,
+                            "startColumn": 16,
+                            "endLine": 306,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "computeUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 194,
+                            "startColumn": 42,
+                            "endLine": 194,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "computeNextMonthUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 194,
+                            "startColumn": 26,
+                            "endLine": 196,
+                            "endColumn": 61
+                          }
+                        },
+                        "message": {
+                          "text": "... + ..."
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "getRequestURL(...) : StringBuffer"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 99,
+                            "startColumn": 118,
+                            "endLine": 99,
+                            "endColumn": 135
+                          }
+                        },
+                        "message": {
+                          "text": "requestURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 19,
+                            "endLine": 127,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "fullUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 19,
+                            "endLine": 127,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "trim(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 36,
+                            "endLine": 134,
+                            "endColumn": 39
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 137,
+                            "startColumn": 49,
+                            "endLine": 137,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 141,
+                            "startColumn": 16,
+                            "endLine": 141,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 16,
+                            "endLine": 134,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "removeTrailingSlash(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 16,
+                            "endLine": 88,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 34,
+                            "endLine": 66,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 69,
+                            "startColumn": 62,
+                            "endLine": 69,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "absPath : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 175,
+                            "startColumn": 46,
+                            "endLine": 175,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 176,
+                            "startColumn": 30,
+                            "endLine": 176,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 51,
+                            "startColumn": 27,
+                            "endLine": 51,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 195,
+                            "startColumn": 16,
+                            "endLine": 195,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 63,
+                            "startColumn": 28,
+                            "endLine": 63,
+                            "endColumn": 74
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteContextURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 63,
+                            "startColumn": 17,
+                            "endLine": 63,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "url [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 16,
+                            "endLine": 75,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 16,
+                            "endLine": 75,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 182,
+                            "startColumn": 25,
+                            "endLine": 182,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "getWeblogURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 182,
+                            "startColumn": 9,
+                            "endLine": 182,
+                            "endColumn": 17
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 212,
+                            "startColumn": 16,
+                            "endLine": 212,
+                            "endColumn": 24
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 212,
+                            "startColumn": 16,
+                            "endLine": 212,
+                            "endColumn": 68
+                          }
+                        },
+                        "message": {
+                          "text": "append(...) : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 212,
+                            "startColumn": 16,
+                            "endLine": 212,
+                            "endColumn": 79
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java",
+                            "index": 12
+                          },
+                          "region": {
+                            "startLine": 273,
+                            "startColumn": 23,
+                            "endLine": 273,
+                            "endColumn": 144
+                          }
+                        },
+                        "message": {
+                          "text": "getWeblogCollectionURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java",
+                            "index": 12
+                          },
+                          "region": {
+                            "startLine": 281,
+                            "startColumn": 16,
+                            "endLine": 281,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java",
+                            "index": 12
+                          },
+                          "region": {
+                            "startLine": 306,
+                            "startColumn": 16,
+                            "endLine": 306,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "computeUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 194,
+                            "startColumn": 42,
+                            "endLine": 194,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "computeNextMonthUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 194,
+                            "startColumn": 26,
+                            "endLine": 196,
+                            "endColumn": 61
+                          }
+                        },
+                        "message": {
+                          "text": "... + ..."
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "getRequestURL(...) : StringBuffer"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 99,
+                            "startColumn": 118,
+                            "endLine": 99,
+                            "endColumn": 135
+                          }
+                        },
+                        "message": {
+                          "text": "requestURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 116,
+                            "startColumn": 40,
+                            "endLine": 116,
+                            "endColumn": 47
+                          }
+                        },
+                        "message": {
+                          "text": "fullUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 137,
+                            "startColumn": 49,
+                            "endLine": 137,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 141,
+                            "startColumn": 16,
+                            "endLine": 141,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 116,
+                            "startColumn": 20,
+                            "endLine": 116,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "removeTrailingSlash(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 16,
+                            "endLine": 88,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 34,
+                            "endLine": 66,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 69,
+                            "startColumn": 62,
+                            "endLine": 69,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "absPath : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 175,
+                            "startColumn": 46,
+                            "endLine": 175,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 176,
+                            "startColumn": 30,
+                            "endLine": 176,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 51,
+                            "startColumn": 27,
+                            "endLine": 51,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 195,
+                            "startColumn": 16,
+                            "endLine": 195,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 24,
+                            "endLine": 58,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteContextURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 13,
+                            "endLine": 58,
+                            "endColumn": 16
+                          }
+                        },
+                        "message": {
+                          "text": "url [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 74,
+                            "startColumn": 16,
+                            "endLine": 74,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 74,
+                            "startColumn": 16,
+                            "endLine": 74,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "append(...) : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 74,
+                            "startColumn": 16,
+                            "endLine": 74,
+                            "endColumn": 74
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 237,
+                            "startColumn": 25,
+                            "endLine": 237,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "getWeblogURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 237,
+                            "startColumn": 9,
+                            "endLine": 237,
+                            "endColumn": 17
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 260,
+                            "startColumn": 16,
+                            "endLine": 260,
+                            "endColumn": 24
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 260,
+                            "startColumn": 16,
+                            "endLine": 260,
+                            "endColumn": 68
+                          }
+                        },
+                        "message": {
+                          "text": "append(...) : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 260,
+                            "startColumn": 16,
+                            "endLine": 260,
+                            "endColumn": 79
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 163,
+                            "startColumn": 23,
+                            "endLine": 163,
+                            "endColumn": 154
+                          }
+                        },
+                        "message": {
+                          "text": "getWeblogPageURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 171,
+                            "startColumn": 16,
+                            "endLine": 171,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java",
+                            "index": 12
+                          },
+                          "region": {
+                            "startLine": 306,
+                            "startColumn": 16,
+                            "endLine": 306,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "computeUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 194,
+                            "startColumn": 42,
+                            "endLine": 194,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "computeNextMonthUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 194,
+                            "startColumn": 26,
+                            "endLine": 196,
+                            "endColumn": 61
+                          }
+                        },
+                        "message": {
+                          "text": "... + ..."
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 88,
+                  "startColumn": 42,
+                  "endLine": 88,
+                  "endColumn": 65
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/15",
+            "github/alertNumber": 15
+          }
+        },
+        {
+          "ruleId": "java/xss",
+          "rule": {
+            "id": "java/xss",
+            "index": 71,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "level": "error",
+          "message": {
+            "text": "Cross-site scripting vulnerability due to a [user-provided value](1)."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                  "index": 7
+                },
+                "region": {
+                  "startLine": 247,
+                  "startColumn": 22,
+                  "endLine": 250,
+                  "endColumn": 28
+                }
+              }
+            }
+          ],
+          "correlationGuid": "e116e0f4-cd03-4270-ab36-3b83f00ee00e",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "871c3cf166627615:1"
+          },
+          "codeFlows": [
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "getRequestURL(...) : StringBuffer"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 99,
+                            "startColumn": 118,
+                            "endLine": 99,
+                            "endColumn": 135
+                          }
+                        },
+                        "message": {
+                          "text": "requestURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 116,
+                            "startColumn": 40,
+                            "endLine": 116,
+                            "endColumn": 47
+                          }
+                        },
+                        "message": {
+                          "text": "fullUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 137,
+                            "startColumn": 49,
+                            "endLine": 137,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 141,
+                            "startColumn": 16,
+                            "endLine": 141,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 116,
+                            "startColumn": 20,
+                            "endLine": 116,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "removeTrailingSlash(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 16,
+                            "endLine": 88,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 34,
+                            "endLine": 66,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 69,
+                            "startColumn": 62,
+                            "endLine": 69,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "absPath : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 175,
+                            "startColumn": 46,
+                            "endLine": 175,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 176,
+                            "startColumn": 30,
+                            "endLine": 176,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 51,
+                            "startColumn": 27,
+                            "endLine": 51,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 195,
+                            "startColumn": 16,
+                            "endLine": 195,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 138,
+                            "startColumn": 26,
+                            "endLine": 138,
+                            "endColumn": 72
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteContextURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 138,
+                            "startColumn": 10,
+                            "endLine": 138,
+                            "endColumn": 18
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 181,
+                            "startColumn": 16,
+                            "endLine": 181,
+                            "endColumn": 24
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 181,
+                            "startColumn": 16,
+                            "endLine": 181,
+                            "endColumn": 68
+                          }
+                        },
+                        "message": {
+                          "text": "append(...) : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 181,
+                            "startColumn": 16,
+                            "endLine": 181,
+                            "endColumn": 79
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java",
+                            "index": 12
+                          },
+                          "region": {
+                            "startLine": 319,
+                            "startColumn": 19,
+                            "endLine": 319,
+                            "endColumn": 134
+                          }
+                        },
+                        "message": {
+                          "text": "getWeblogCollectionURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java",
+                            "index": 12
+                          },
+                          "region": {
+                            "startLine": 324,
+                            "startColumn": 13,
+                            "endLine": 324,
+                            "endColumn": 16
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 247,
+                            "startColumn": 35,
+                            "endLine": 247,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "computeTodayMonthUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 247,
+                            "startColumn": 22,
+                            "endLine": 250,
+                            "endColumn": 28
+                          }
+                        },
+                        "message": {
+                          "text": "... + ..."
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "getRequestURL(...) : StringBuffer"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 99,
+                            "startColumn": 118,
+                            "endLine": 99,
+                            "endColumn": 135
+                          }
+                        },
+                        "message": {
+                          "text": "requestURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 125,
+                            "startColumn": 19,
+                            "endLine": 125,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "fullUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 125,
+                            "startColumn": 19,
+                            "endLine": 125,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 36,
+                            "endLine": 134,
+                            "endColumn": 39
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 137,
+                            "startColumn": 49,
+                            "endLine": 137,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 139,
+                            "startColumn": 20,
+                            "endLine": 139,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 139,
+                            "startColumn": 20,
+                            "endLine": 139,
+                            "endColumn": 54
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 16,
+                            "endLine": 134,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "removeTrailingSlash(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 16,
+                            "endLine": 88,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 34,
+                            "endLine": 66,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 69,
+                            "startColumn": 62,
+                            "endLine": 69,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "absPath : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 175,
+                            "startColumn": 46,
+                            "endLine": 175,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 176,
+                            "startColumn": 30,
+                            "endLine": 176,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 51,
+                            "startColumn": 27,
+                            "endLine": 51,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 195,
+                            "startColumn": 16,
+                            "endLine": 195,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 207,
+                            "startColumn": 29,
+                            "endLine": 207,
+                            "endColumn": 75
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteContextURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 207,
+                            "startColumn": 13,
+                            "endLine": 207,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 243,
+                            "startColumn": 16,
+                            "endLine": 243,
+                            "endColumn": 24
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 243,
+                            "startColumn": 16,
+                            "endLine": 243,
+                            "endColumn": 68
+                          }
+                        },
+                        "message": {
+                          "text": "append(...) : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 243,
+                            "startColumn": 16,
+                            "endLine": 243,
+                            "endColumn": 79
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java",
+                            "index": 12
+                          },
+                          "region": {
+                            "startLine": 322,
+                            "startColumn": 19,
+                            "endLine": 322,
+                            "endColumn": 144
+                          }
+                        },
+                        "message": {
+                          "text": "getWeblogPageURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java",
+                            "index": 12
+                          },
+                          "region": {
+                            "startLine": 324,
+                            "startColumn": 13,
+                            "endLine": 324,
+                            "endColumn": 16
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 247,
+                            "startColumn": 35,
+                            "endLine": 247,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "computeTodayMonthUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 247,
+                            "startColumn": 22,
+                            "endLine": 250,
+                            "endColumn": 28
+                          }
+                        },
+                        "message": {
+                          "text": "... + ..."
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "getRequestURL(...) : StringBuffer"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 99,
+                            "startColumn": 118,
+                            "endLine": 99,
+                            "endColumn": 135
+                          }
+                        },
+                        "message": {
+                          "text": "requestURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 19,
+                            "endLine": 127,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "fullUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 19,
+                            "endLine": 127,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "trim(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 36,
+                            "endLine": 134,
+                            "endColumn": 39
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 137,
+                            "startColumn": 49,
+                            "endLine": 137,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 141,
+                            "startColumn": 16,
+                            "endLine": 141,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 16,
+                            "endLine": 134,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "removeTrailingSlash(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 16,
+                            "endLine": 88,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 34,
+                            "endLine": 66,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 69,
+                            "startColumn": 62,
+                            "endLine": 69,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "absPath : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 175,
+                            "startColumn": 46,
+                            "endLine": 175,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 176,
+                            "startColumn": 30,
+                            "endLine": 176,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 51,
+                            "startColumn": 27,
+                            "endLine": 51,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 195,
+                            "startColumn": 16,
+                            "endLine": 195,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 63,
+                            "startColumn": 28,
+                            "endLine": 63,
+                            "endColumn": 74
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteContextURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 63,
+                            "startColumn": 17,
+                            "endLine": 63,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "url [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 16,
+                            "endLine": 75,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 16,
+                            "endLine": 75,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 182,
+                            "startColumn": 25,
+                            "endLine": 182,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "getWeblogURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 182,
+                            "startColumn": 9,
+                            "endLine": 182,
+                            "endColumn": 17
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 212,
+                            "startColumn": 16,
+                            "endLine": 212,
+                            "endColumn": 24
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 212,
+                            "startColumn": 16,
+                            "endLine": 212,
+                            "endColumn": 68
+                          }
+                        },
+                        "message": {
+                          "text": "append(...) : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 212,
+                            "startColumn": 16,
+                            "endLine": 212,
+                            "endColumn": 79
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java",
+                            "index": 12
+                          },
+                          "region": {
+                            "startLine": 319,
+                            "startColumn": 19,
+                            "endLine": 319,
+                            "endColumn": 134
+                          }
+                        },
+                        "message": {
+                          "text": "getWeblogCollectionURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java",
+                            "index": 12
+                          },
+                          "region": {
+                            "startLine": 324,
+                            "startColumn": 13,
+                            "endLine": 324,
+                            "endColumn": 16
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 247,
+                            "startColumn": 35,
+                            "endLine": 247,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "computeTodayMonthUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 247,
+                            "startColumn": 22,
+                            "endLine": 250,
+                            "endColumn": 28
+                          }
+                        },
+                        "message": {
+                          "text": "... + ..."
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "getRequestURL(...) : StringBuffer"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 99,
+                            "startColumn": 118,
+                            "endLine": 99,
+                            "endColumn": 135
+                          }
+                        },
+                        "message": {
+                          "text": "requestURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 116,
+                            "startColumn": 40,
+                            "endLine": 116,
+                            "endColumn": 47
+                          }
+                        },
+                        "message": {
+                          "text": "fullUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 137,
+                            "startColumn": 49,
+                            "endLine": 137,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 141,
+                            "startColumn": 16,
+                            "endLine": 141,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 116,
+                            "startColumn": 20,
+                            "endLine": 116,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "removeTrailingSlash(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 16,
+                            "endLine": 88,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 34,
+                            "endLine": 66,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 69,
+                            "startColumn": 62,
+                            "endLine": 69,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "absPath : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 175,
+                            "startColumn": 46,
+                            "endLine": 175,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 176,
+                            "startColumn": 30,
+                            "endLine": 176,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 51,
+                            "startColumn": 27,
+                            "endLine": 51,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 195,
+                            "startColumn": 16,
+                            "endLine": 195,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 24,
+                            "endLine": 58,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteContextURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 13,
+                            "endLine": 58,
+                            "endColumn": 16
+                          }
+                        },
+                        "message": {
+                          "text": "url [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 74,
+                            "startColumn": 16,
+                            "endLine": 74,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 74,
+                            "startColumn": 16,
+                            "endLine": 74,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "append(...) : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 74,
+                            "startColumn": 16,
+                            "endLine": 74,
+                            "endColumn": 74
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 237,
+                            "startColumn": 25,
+                            "endLine": 237,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "getWeblogURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 237,
+                            "startColumn": 9,
+                            "endLine": 237,
+                            "endColumn": 17
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 260,
+                            "startColumn": 16,
+                            "endLine": 260,
+                            "endColumn": 24
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 260,
+                            "startColumn": 16,
+                            "endLine": 260,
+                            "endColumn": 68
+                          }
+                        },
+                        "message": {
+                          "text": "append(...) : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 260,
+                            "startColumn": 16,
+                            "endLine": 260,
+                            "endColumn": 79
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java",
+                            "index": 12
+                          },
+                          "region": {
+                            "startLine": 322,
+                            "startColumn": 19,
+                            "endLine": 322,
+                            "endColumn": 144
+                          }
+                        },
+                        "message": {
+                          "text": "getWeblogPageURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java",
+                            "index": 12
+                          },
+                          "region": {
+                            "startLine": 324,
+                            "startColumn": 13,
+                            "endLine": 324,
+                            "endColumn": 16
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 247,
+                            "startColumn": 35,
+                            "endLine": 247,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "computeTodayMonthUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 247,
+                            "startColumn": 22,
+                            "endLine": 250,
+                            "endColumn": 28
+                          }
+                        },
+                        "message": {
+                          "text": "... + ..."
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 88,
+                  "startColumn": 42,
+                  "endLine": 88,
+                  "endColumn": 65
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/16",
+            "github/alertNumber": 16
+          }
+        },
+        {
+          "ruleId": "java/xss",
+          "rule": {
+            "id": "java/xss",
+            "index": 71,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "level": "error",
+          "message": {
+            "text": "Cross-site scripting vulnerability due to a [user-provided value](1)."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                  "index": 7
+                },
+                "region": {
+                  "startLine": 276,
+                  "startColumn": 23,
+                  "endLine": 276,
+                  "endColumn": 30
+                }
+              }
+            }
+          ],
+          "correlationGuid": "db4c7ae4-0eda-47d9-aa17-02047f46b732",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "f797cd6a2e95a76a:1"
+          },
+          "codeFlows": [
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "getRequestURL(...) : StringBuffer"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 99,
+                            "startColumn": 118,
+                            "endLine": 99,
+                            "endColumn": 135
+                          }
+                        },
+                        "message": {
+                          "text": "requestURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 116,
+                            "startColumn": 40,
+                            "endLine": 116,
+                            "endColumn": 47
+                          }
+                        },
+                        "message": {
+                          "text": "fullUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 137,
+                            "startColumn": 49,
+                            "endLine": 137,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 141,
+                            "startColumn": 16,
+                            "endLine": 141,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 116,
+                            "startColumn": 20,
+                            "endLine": 116,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "removeTrailingSlash(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 16,
+                            "endLine": 88,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 34,
+                            "endLine": 66,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 69,
+                            "startColumn": 62,
+                            "endLine": 69,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "absPath : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 175,
+                            "startColumn": 46,
+                            "endLine": 175,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 176,
+                            "startColumn": 30,
+                            "endLine": 176,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 51,
+                            "startColumn": 27,
+                            "endLine": 51,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 195,
+                            "startColumn": 16,
+                            "endLine": 195,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 95,
+                            "startColumn": 24,
+                            "endLine": 95,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteContextURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 95,
+                            "startColumn": 13,
+                            "endLine": 95,
+                            "endColumn": 16
+                          }
+                        },
+                        "message": {
+                          "text": "url [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 114,
+                            "startColumn": 16,
+                            "endLine": 114,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 114,
+                            "startColumn": 16,
+                            "endLine": 114,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "append(...) : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 114,
+                            "startColumn": 16,
+                            "endLine": 114,
+                            "endColumn": 74
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 747,
+                            "startColumn": 16,
+                            "endLine": 747,
+                            "endColumn": 121
+                          }
+                        },
+                        "message": {
+                          "text": "getWeblogEntryURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 106,
+                            "startColumn": 31,
+                            "endLine": 106,
+                            "endColumn": 75
+                          }
+                        },
+                        "message": {
+                          "text": "getPermalink(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 106,
+                            "startColumn": 21,
+                            "endLine": 106,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "sb [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 23,
+                            "endLine": 127,
+                            "endColumn": 25
+                          }
+                        },
+                        "message": {
+                          "text": "sb : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 23,
+                            "endLine": 127,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 131,
+                            "startColumn": 16,
+                            "endLine": 131,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "content : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 216,
+                            "startColumn": 38,
+                            "endLine": 216,
+                            "endColumn": 64
+                          }
+                        },
+                        "message": {
+                          "text": "getContent(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 230,
+                            "startColumn": 63,
+                            "endLine": 230,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "content : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 272,
+                            "startColumn": 80,
+                            "endLine": 272,
+                            "endColumn": 94
+                          }
+                        },
+                        "message": {
+                          "text": "content : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 276,
+                            "startColumn": 23,
+                            "endLine": 276,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "content"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "getRequestURL(...) : StringBuffer"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 99,
+                            "startColumn": 118,
+                            "endLine": 99,
+                            "endColumn": 135
+                          }
+                        },
+                        "message": {
+                          "text": "requestURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 125,
+                            "startColumn": 19,
+                            "endLine": 125,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "fullUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 125,
+                            "startColumn": 19,
+                            "endLine": 125,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 36,
+                            "endLine": 134,
+                            "endColumn": 39
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 137,
+                            "startColumn": 49,
+                            "endLine": 137,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 139,
+                            "startColumn": 20,
+                            "endLine": 139,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 139,
+                            "startColumn": 20,
+                            "endLine": 139,
+                            "endColumn": 54
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 16,
+                            "endLine": 134,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "removeTrailingSlash(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 16,
+                            "endLine": 88,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 34,
+                            "endLine": 66,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 69,
+                            "startColumn": 62,
+                            "endLine": 69,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "absPath : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 175,
+                            "startColumn": 46,
+                            "endLine": 175,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 176,
+                            "startColumn": 30,
+                            "endLine": 176,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 51,
+                            "startColumn": 27,
+                            "endLine": 51,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 195,
+                            "startColumn": 16,
+                            "endLine": 195,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 138,
+                            "startColumn": 26,
+                            "endLine": 138,
+                            "endColumn": 72
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteContextURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 138,
+                            "startColumn": 10,
+                            "endLine": 138,
+                            "endColumn": 18
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 181,
+                            "startColumn": 16,
+                            "endLine": 181,
+                            "endColumn": 24
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 181,
+                            "startColumn": 16,
+                            "endLine": 181,
+                            "endColumn": 68
+                          }
+                        },
+                        "message": {
+                          "text": "append(...) : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 181,
+                            "startColumn": 16,
+                            "endLine": 181,
+                            "endColumn": 79
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 33,
+                            "endLine": 94,
+                            "endColumn": 154
+                          }
+                        },
+                        "message": {
+                          "text": "getWeblogCollectionURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 98,
+                            "startColumn": 28,
+                            "endLine": 98,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "dayUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 98,
+                            "startColumn": 17,
+                            "endLine": 98,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "sb [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 23,
+                            "endLine": 127,
+                            "endColumn": 25
+                          }
+                        },
+                        "message": {
+                          "text": "sb : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 23,
+                            "endLine": 127,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 131,
+                            "startColumn": 16,
+                            "endLine": 131,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "content : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 216,
+                            "startColumn": 38,
+                            "endLine": 216,
+                            "endColumn": 64
+                          }
+                        },
+                        "message": {
+                          "text": "getContent(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 230,
+                            "startColumn": 63,
+                            "endLine": 230,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "content : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 272,
+                            "startColumn": 80,
+                            "endLine": 272,
+                            "endColumn": 94
+                          }
+                        },
+                        "message": {
+                          "text": "content : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 276,
+                            "startColumn": 23,
+                            "endLine": 276,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "content"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "getRequestURL(...) : StringBuffer"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 99,
+                            "startColumn": 118,
+                            "endLine": 99,
+                            "endColumn": 135
+                          }
+                        },
+                        "message": {
+                          "text": "requestURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 19,
+                            "endLine": 127,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "fullUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 19,
+                            "endLine": 127,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "trim(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 36,
+                            "endLine": 134,
+                            "endColumn": 39
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 137,
+                            "startColumn": 49,
+                            "endLine": 137,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 141,
+                            "startColumn": 16,
+                            "endLine": 141,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 16,
+                            "endLine": 134,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "removeTrailingSlash(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 16,
+                            "endLine": 88,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 34,
+                            "endLine": 66,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 69,
+                            "startColumn": 62,
+                            "endLine": 69,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "absPath : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 175,
+                            "startColumn": 46,
+                            "endLine": 175,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 176,
+                            "startColumn": 30,
+                            "endLine": 176,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 51,
+                            "startColumn": 27,
+                            "endLine": 51,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 195,
+                            "startColumn": 16,
+                            "endLine": 195,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 63,
+                            "startColumn": 28,
+                            "endLine": 63,
+                            "endColumn": 74
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteContextURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 63,
+                            "startColumn": 17,
+                            "endLine": 63,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "url [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 16,
+                            "endLine": 75,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 16,
+                            "endLine": 75,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 20,
+                            "endLine": 94,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "getWeblogURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 9,
+                            "endLine": 94,
+                            "endColumn": 12
+                          }
+                        },
+                        "message": {
+                          "text": "url [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 12,
+                            "endLine": 97,
+                            "endColumn": 15
+                          }
+                        },
+                        "message": {
+                          "text": "url : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 12,
+                            "endLine": 97,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 747,
+                            "startColumn": 16,
+                            "endLine": 747,
+                            "endColumn": 121
+                          }
+                        },
+                        "message": {
+                          "text": "getWeblogEntryURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 106,
+                            "startColumn": 31,
+                            "endLine": 106,
+                            "endColumn": 75
+                          }
+                        },
+                        "message": {
+                          "text": "getPermalink(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 106,
+                            "startColumn": 21,
+                            "endLine": 106,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "sb [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 23,
+                            "endLine": 127,
+                            "endColumn": 25
+                          }
+                        },
+                        "message": {
+                          "text": "sb : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 23,
+                            "endLine": 127,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 131,
+                            "startColumn": 16,
+                            "endLine": 131,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "content : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 216,
+                            "startColumn": 38,
+                            "endLine": 216,
+                            "endColumn": 64
+                          }
+                        },
+                        "message": {
+                          "text": "getContent(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 230,
+                            "startColumn": 63,
+                            "endLine": 230,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "content : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 272,
+                            "startColumn": 80,
+                            "endLine": 272,
+                            "endColumn": 94
+                          }
+                        },
+                        "message": {
+                          "text": "content : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 276,
+                            "startColumn": 23,
+                            "endLine": 276,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "content"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "getRequestURL(...) : StringBuffer"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 99,
+                            "startColumn": 118,
+                            "endLine": 99,
+                            "endColumn": 135
+                          }
+                        },
+                        "message": {
+                          "text": "requestURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 116,
+                            "startColumn": 40,
+                            "endLine": 116,
+                            "endColumn": 47
+                          }
+                        },
+                        "message": {
+                          "text": "fullUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 137,
+                            "startColumn": 49,
+                            "endLine": 137,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 141,
+                            "startColumn": 16,
+                            "endLine": 141,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 116,
+                            "startColumn": 20,
+                            "endLine": 116,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "removeTrailingSlash(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 16,
+                            "endLine": 88,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 34,
+                            "endLine": 66,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 69,
+                            "startColumn": 62,
+                            "endLine": 69,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "absPath : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 175,
+                            "startColumn": 46,
+                            "endLine": 175,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 176,
+                            "startColumn": 30,
+                            "endLine": 176,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 51,
+                            "startColumn": 27,
+                            "endLine": 51,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 195,
+                            "startColumn": 16,
+                            "endLine": 195,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 24,
+                            "endLine": 58,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteContextURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 13,
+                            "endLine": 58,
+                            "endColumn": 16
+                          }
+                        },
+                        "message": {
+                          "text": "url [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 74,
+                            "startColumn": 16,
+                            "endLine": 74,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 74,
+                            "startColumn": 16,
+                            "endLine": 74,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "append(...) : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 74,
+                            "startColumn": 16,
+                            "endLine": 74,
+                            "endColumn": 74
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 182,
+                            "startColumn": 25,
+                            "endLine": 182,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "getWeblogURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 182,
+                            "startColumn": 9,
+                            "endLine": 182,
+                            "endColumn": 17
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 212,
+                            "startColumn": 16,
+                            "endLine": 212,
+                            "endColumn": 24
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 212,
+                            "startColumn": 16,
+                            "endLine": 212,
+                            "endColumn": 68
+                          }
+                        },
+                        "message": {
+                          "text": "append(...) : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 212,
+                            "startColumn": 16,
+                            "endLine": 212,
+                            "endColumn": 79
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 33,
+                            "endLine": 94,
+                            "endColumn": 154
+                          }
+                        },
+                        "message": {
+                          "text": "getWeblogCollectionURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 98,
+                            "startColumn": 28,
+                            "endLine": 98,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "dayUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 98,
+                            "startColumn": 17,
+                            "endLine": 98,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "sb [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 23,
+                            "endLine": 127,
+                            "endColumn": 25
+                          }
+                        },
+                        "message": {
+                          "text": "sb : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 23,
+                            "endLine": 127,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 131,
+                            "startColumn": 16,
+                            "endLine": 131,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "content : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 216,
+                            "startColumn": 38,
+                            "endLine": 216,
+                            "endColumn": 64
+                          }
+                        },
+                        "message": {
+                          "text": "getContent(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 230,
+                            "startColumn": 63,
+                            "endLine": 230,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "content : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 272,
+                            "startColumn": 80,
+                            "endLine": 272,
+                            "endColumn": 94
+                          }
+                        },
+                        "message": {
+                          "text": "content : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 276,
+                            "startColumn": 23,
+                            "endLine": 276,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "content"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 88,
+                  "startColumn": 42,
+                  "endLine": 88,
+                  "endColumn": 65
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/17",
+            "github/alertNumber": 17
+          }
+        },
+        {
+          "ruleId": "java/xss",
+          "rule": {
+            "id": "java/xss",
+            "index": 71,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "level": "error",
+          "message": {
+            "text": "Cross-site scripting vulnerability due to a [user-provided value](1)."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                  "index": 7
+                },
+                "region": {
+                  "startLine": 283,
+                  "startColumn": 22,
+                  "endLine": 283,
+                  "endColumn": 44
+                }
+              }
+            }
+          ],
+          "correlationGuid": "2f804f4f-770f-4999-b2a6-e36f3f91f614",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "d06c87887323661e:1"
+          },
+          "codeFlows": [
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "getRequestURL(...) : StringBuffer"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 99,
+                            "startColumn": 118,
+                            "endLine": 99,
+                            "endColumn": 135
+                          }
+                        },
+                        "message": {
+                          "text": "requestURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 116,
+                            "startColumn": 40,
+                            "endLine": 116,
+                            "endColumn": 47
+                          }
+                        },
+                        "message": {
+                          "text": "fullUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 137,
+                            "startColumn": 49,
+                            "endLine": 137,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 141,
+                            "startColumn": 16,
+                            "endLine": 141,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 116,
+                            "startColumn": 20,
+                            "endLine": 116,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "removeTrailingSlash(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 16,
+                            "endLine": 88,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 34,
+                            "endLine": 66,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 69,
+                            "startColumn": 62,
+                            "endLine": 69,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "absPath : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 175,
+                            "startColumn": 46,
+                            "endLine": 175,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 176,
+                            "startColumn": 30,
+                            "endLine": 176,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 51,
+                            "startColumn": 27,
+                            "endLine": 51,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 195,
+                            "startColumn": 16,
+                            "endLine": 195,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 138,
+                            "startColumn": 26,
+                            "endLine": 138,
+                            "endColumn": 72
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteContextURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 138,
+                            "startColumn": 10,
+                            "endLine": 138,
+                            "endColumn": 18
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 181,
+                            "startColumn": 16,
+                            "endLine": 181,
+                            "endColumn": 24
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 181,
+                            "startColumn": 16,
+                            "endLine": 181,
+                            "endColumn": 68
+                          }
+                        },
+                        "message": {
+                          "text": "append(...) : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 181,
+                            "startColumn": 16,
+                            "endLine": 181,
+                            "endColumn": 79
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 166,
+                            "startColumn": 23,
+                            "endLine": 166,
+                            "endColumn": 144
+                          }
+                        },
+                        "message": {
+                          "text": "getWeblogCollectionURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 171,
+                            "startColumn": 16,
+                            "endLine": 171,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 215,
+                            "startColumn": 34,
+                            "endLine": 215,
+                            "endColumn": 72
+                          }
+                        },
+                        "message": {
+                          "text": "computeUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 230,
+                            "startColumn": 58,
+                            "endLine": 230,
+                            "endColumn": 61
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 272,
+                            "startColumn": 68,
+                            "endLine": 272,
+                            "endColumn": 78
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 283,
+                            "startColumn": 22,
+                            "endLine": 283,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "... + ..."
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "getRequestURL(...) : StringBuffer"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 99,
+                            "startColumn": 118,
+                            "endLine": 99,
+                            "endColumn": 135
+                          }
+                        },
+                        "message": {
+                          "text": "requestURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 125,
+                            "startColumn": 19,
+                            "endLine": 125,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "fullUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 125,
+                            "startColumn": 19,
+                            "endLine": 125,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 36,
+                            "endLine": 134,
+                            "endColumn": 39
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 137,
+                            "startColumn": 49,
+                            "endLine": 137,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 139,
+                            "startColumn": 20,
+                            "endLine": 139,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 139,
+                            "startColumn": 20,
+                            "endLine": 139,
+                            "endColumn": 54
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 16,
+                            "endLine": 134,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "removeTrailingSlash(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 16,
+                            "endLine": 88,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 34,
+                            "endLine": 66,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 69,
+                            "startColumn": 62,
+                            "endLine": 69,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "absPath : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 175,
+                            "startColumn": 46,
+                            "endLine": 175,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 176,
+                            "startColumn": 30,
+                            "endLine": 176,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 51,
+                            "startColumn": 27,
+                            "endLine": 51,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 195,
+                            "startColumn": 16,
+                            "endLine": 195,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 207,
+                            "startColumn": 29,
+                            "endLine": 207,
+                            "endColumn": 75
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteContextURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 207,
+                            "startColumn": 13,
+                            "endLine": 207,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 243,
+                            "startColumn": 16,
+                            "endLine": 243,
+                            "endColumn": 24
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 243,
+                            "startColumn": 16,
+                            "endLine": 243,
+                            "endColumn": 68
+                          }
+                        },
+                        "message": {
+                          "text": "append(...) : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 243,
+                            "startColumn": 16,
+                            "endLine": 243,
+                            "endColumn": 79
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java",
+                            "index": 12
+                          },
+                          "region": {
+                            "startLine": 276,
+                            "startColumn": 23,
+                            "endLine": 276,
+                            "endColumn": 154
+                          }
+                        },
+                        "message": {
+                          "text": "getWeblogPageURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java",
+                            "index": 12
+                          },
+                          "region": {
+                            "startLine": 281,
+                            "startColumn": 16,
+                            "endLine": 281,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 215,
+                            "startColumn": 34,
+                            "endLine": 215,
+                            "endColumn": 72
+                          }
+                        },
+                        "message": {
+                          "text": "computeUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 230,
+                            "startColumn": 58,
+                            "endLine": 230,
+                            "endColumn": 61
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 272,
+                            "startColumn": 68,
+                            "endLine": 272,
+                            "endColumn": 78
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 283,
+                            "startColumn": 22,
+                            "endLine": 283,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "... + ..."
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "getRequestURL(...) : StringBuffer"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 99,
+                            "startColumn": 118,
+                            "endLine": 99,
+                            "endColumn": 135
+                          }
+                        },
+                        "message": {
+                          "text": "requestURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 19,
+                            "endLine": 127,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "fullUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 19,
+                            "endLine": 127,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "trim(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 36,
+                            "endLine": 134,
+                            "endColumn": 39
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 137,
+                            "startColumn": 49,
+                            "endLine": 137,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 141,
+                            "startColumn": 16,
+                            "endLine": 141,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 16,
+                            "endLine": 134,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "removeTrailingSlash(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 16,
+                            "endLine": 88,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 34,
+                            "endLine": 66,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 69,
+                            "startColumn": 62,
+                            "endLine": 69,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "absPath : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 175,
+                            "startColumn": 46,
+                            "endLine": 175,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 176,
+                            "startColumn": 30,
+                            "endLine": 176,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 51,
+                            "startColumn": 27,
+                            "endLine": 51,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 195,
+                            "startColumn": 16,
+                            "endLine": 195,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 63,
+                            "startColumn": 28,
+                            "endLine": 63,
+                            "endColumn": 74
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteContextURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 63,
+                            "startColumn": 17,
+                            "endLine": 63,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "url [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 16,
+                            "endLine": 75,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 16,
+                            "endLine": 75,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 182,
+                            "startColumn": 25,
+                            "endLine": 182,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "getWeblogURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 182,
+                            "startColumn": 9,
+                            "endLine": 182,
+                            "endColumn": 17
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 212,
+                            "startColumn": 16,
+                            "endLine": 212,
+                            "endColumn": 24
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 212,
+                            "startColumn": 16,
+                            "endLine": 212,
+                            "endColumn": 68
+                          }
+                        },
+                        "message": {
+                          "text": "append(...) : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 212,
+                            "startColumn": 16,
+                            "endLine": 212,
+                            "endColumn": 79
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java",
+                            "index": 12
+                          },
+                          "region": {
+                            "startLine": 273,
+                            "startColumn": 23,
+                            "endLine": 273,
+                            "endColumn": 144
+                          }
+                        },
+                        "message": {
+                          "text": "getWeblogCollectionURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java",
+                            "index": 12
+                          },
+                          "region": {
+                            "startLine": 281,
+                            "startColumn": 16,
+                            "endLine": 281,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 215,
+                            "startColumn": 34,
+                            "endLine": 215,
+                            "endColumn": 72
+                          }
+                        },
+                        "message": {
+                          "text": "computeUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 230,
+                            "startColumn": 58,
+                            "endLine": 230,
+                            "endColumn": 61
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 272,
+                            "startColumn": 68,
+                            "endLine": 272,
+                            "endColumn": 78
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 283,
+                            "startColumn": 22,
+                            "endLine": 283,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "... + ..."
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "getRequestURL(...) : StringBuffer"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 99,
+                            "startColumn": 118,
+                            "endLine": 99,
+                            "endColumn": 135
+                          }
+                        },
+                        "message": {
+                          "text": "requestURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 116,
+                            "startColumn": 40,
+                            "endLine": 116,
+                            "endColumn": 47
+                          }
+                        },
+                        "message": {
+                          "text": "fullUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 137,
+                            "startColumn": 49,
+                            "endLine": 137,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 141,
+                            "startColumn": 16,
+                            "endLine": 141,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 116,
+                            "startColumn": 20,
+                            "endLine": 116,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "removeTrailingSlash(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 16,
+                            "endLine": 88,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 34,
+                            "endLine": 66,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 69,
+                            "startColumn": 62,
+                            "endLine": 69,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "absPath : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 175,
+                            "startColumn": 46,
+                            "endLine": 175,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 176,
+                            "startColumn": 30,
+                            "endLine": 176,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 51,
+                            "startColumn": 27,
+                            "endLine": 51,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 195,
+                            "startColumn": 16,
+                            "endLine": 195,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 24,
+                            "endLine": 58,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteContextURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 13,
+                            "endLine": 58,
+                            "endColumn": 16
+                          }
+                        },
+                        "message": {
+                          "text": "url [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 74,
+                            "startColumn": 16,
+                            "endLine": 74,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 74,
+                            "startColumn": 16,
+                            "endLine": 74,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "append(...) : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 74,
+                            "startColumn": 16,
+                            "endLine": 74,
+                            "endColumn": 74
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 237,
+                            "startColumn": 25,
+                            "endLine": 237,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "getWeblogURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 237,
+                            "startColumn": 9,
+                            "endLine": 237,
+                            "endColumn": 17
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 260,
+                            "startColumn": 16,
+                            "endLine": 260,
+                            "endColumn": 24
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 260,
+                            "startColumn": 16,
+                            "endLine": 260,
+                            "endColumn": 68
+                          }
+                        },
+                        "message": {
+                          "text": "append(...) : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 260,
+                            "startColumn": 16,
+                            "endLine": 260,
+                            "endColumn": 79
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 163,
+                            "startColumn": 23,
+                            "endLine": 163,
+                            "endColumn": 154
+                          }
+                        },
+                        "message": {
+                          "text": "getWeblogPageURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 171,
+                            "startColumn": 16,
+                            "endLine": 171,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 215,
+                            "startColumn": 34,
+                            "endLine": 215,
+                            "endColumn": 72
+                          }
+                        },
+                        "message": {
+                          "text": "computeUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 230,
+                            "startColumn": 58,
+                            "endLine": 230,
+                            "endColumn": 61
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 272,
+                            "startColumn": 68,
+                            "endLine": 272,
+                            "endColumn": 78
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 283,
+                            "startColumn": 22,
+                            "endLine": 283,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "... + ..."
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 88,
+                  "startColumn": 42,
+                  "endLine": 88,
+                  "endColumn": 65
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/18",
+            "github/alertNumber": 18
+          }
+        },
+        {
+          "ruleId": "java/xss",
+          "rule": {
+            "id": "java/xss",
+            "index": 71,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "level": "error",
+          "message": {
+            "text": "Cross-site scripting vulnerability due to a [user-provided value](1)."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                  "index": 7
+                },
+                "region": {
+                  "startLine": 302,
+                  "startColumn": 23,
+                  "endLine": 302,
+                  "endColumn": 30
+                }
+              }
+            }
+          ],
+          "correlationGuid": "ed3376eb-e089-4f43-9bf8-adbd4676887b",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "f797b1b59b078d8f:1"
+          },
+          "codeFlows": [
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "getRequestURL(...) : StringBuffer"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 99,
+                            "startColumn": 118,
+                            "endLine": 99,
+                            "endColumn": 135
+                          }
+                        },
+                        "message": {
+                          "text": "requestURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 116,
+                            "startColumn": 40,
+                            "endLine": 116,
+                            "endColumn": 47
+                          }
+                        },
+                        "message": {
+                          "text": "fullUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 137,
+                            "startColumn": 49,
+                            "endLine": 137,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 141,
+                            "startColumn": 16,
+                            "endLine": 141,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 116,
+                            "startColumn": 20,
+                            "endLine": 116,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "removeTrailingSlash(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 16,
+                            "endLine": 88,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 34,
+                            "endLine": 66,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 69,
+                            "startColumn": 62,
+                            "endLine": 69,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "absPath : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 175,
+                            "startColumn": 46,
+                            "endLine": 175,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 176,
+                            "startColumn": 30,
+                            "endLine": 176,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 51,
+                            "startColumn": 27,
+                            "endLine": 51,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 195,
+                            "startColumn": 16,
+                            "endLine": 195,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 95,
+                            "startColumn": 24,
+                            "endLine": 95,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteContextURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 95,
+                            "startColumn": 13,
+                            "endLine": 95,
+                            "endColumn": 16
+                          }
+                        },
+                        "message": {
+                          "text": "url [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 114,
+                            "startColumn": 16,
+                            "endLine": 114,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 114,
+                            "startColumn": 16,
+                            "endLine": 114,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "append(...) : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 114,
+                            "startColumn": 16,
+                            "endLine": 114,
+                            "endColumn": 74
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 747,
+                            "startColumn": 16,
+                            "endLine": 747,
+                            "endColumn": 121
+                          }
+                        },
+                        "message": {
+                          "text": "getWeblogEntryURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 106,
+                            "startColumn": 31,
+                            "endLine": 106,
+                            "endColumn": 75
+                          }
+                        },
+                        "message": {
+                          "text": "getPermalink(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 106,
+                            "startColumn": 21,
+                            "endLine": 106,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "sb [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 23,
+                            "endLine": 127,
+                            "endColumn": 25
+                          }
+                        },
+                        "message": {
+                          "text": "sb : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 23,
+                            "endLine": 127,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 131,
+                            "startColumn": 16,
+                            "endLine": 131,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "content : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 216,
+                            "startColumn": 38,
+                            "endLine": 216,
+                            "endColumn": 64
+                          }
+                        },
+                        "message": {
+                          "text": "getContent(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 228,
+                            "startColumn": 54,
+                            "endLine": 228,
+                            "endColumn": 61
+                          }
+                        },
+                        "message": {
+                          "text": "content : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 298,
+                            "startColumn": 71,
+                            "endLine": 298,
+                            "endColumn": 85
+                          }
+                        },
+                        "message": {
+                          "text": "content : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 302,
+                            "startColumn": 23,
+                            "endLine": 302,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "content"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "getRequestURL(...) : StringBuffer"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 99,
+                            "startColumn": 118,
+                            "endLine": 99,
+                            "endColumn": 135
+                          }
+                        },
+                        "message": {
+                          "text": "requestURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 125,
+                            "startColumn": 19,
+                            "endLine": 125,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "fullUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 125,
+                            "startColumn": 19,
+                            "endLine": 125,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 36,
+                            "endLine": 134,
+                            "endColumn": 39
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 137,
+                            "startColumn": 49,
+                            "endLine": 137,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 139,
+                            "startColumn": 20,
+                            "endLine": 139,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 139,
+                            "startColumn": 20,
+                            "endLine": 139,
+                            "endColumn": 54
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 16,
+                            "endLine": 134,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "removeTrailingSlash(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 16,
+                            "endLine": 88,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 34,
+                            "endLine": 66,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 69,
+                            "startColumn": 62,
+                            "endLine": 69,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "absPath : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 175,
+                            "startColumn": 46,
+                            "endLine": 175,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 176,
+                            "startColumn": 30,
+                            "endLine": 176,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 51,
+                            "startColumn": 27,
+                            "endLine": 51,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 195,
+                            "startColumn": 16,
+                            "endLine": 195,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 138,
+                            "startColumn": 26,
+                            "endLine": 138,
+                            "endColumn": 72
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteContextURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 138,
+                            "startColumn": 10,
+                            "endLine": 138,
+                            "endColumn": 18
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 181,
+                            "startColumn": 16,
+                            "endLine": 181,
+                            "endColumn": 24
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 181,
+                            "startColumn": 16,
+                            "endLine": 181,
+                            "endColumn": 68
+                          }
+                        },
+                        "message": {
+                          "text": "append(...) : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 181,
+                            "startColumn": 16,
+                            "endLine": 181,
+                            "endColumn": 79
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 33,
+                            "endLine": 94,
+                            "endColumn": 154
+                          }
+                        },
+                        "message": {
+                          "text": "getWeblogCollectionURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 98,
+                            "startColumn": 28,
+                            "endLine": 98,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "dayUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 98,
+                            "startColumn": 17,
+                            "endLine": 98,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "sb [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 23,
+                            "endLine": 127,
+                            "endColumn": 25
+                          }
+                        },
+                        "message": {
+                          "text": "sb : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 23,
+                            "endLine": 127,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 131,
+                            "startColumn": 16,
+                            "endLine": 131,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "content : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 216,
+                            "startColumn": 38,
+                            "endLine": 216,
+                            "endColumn": 64
+                          }
+                        },
+                        "message": {
+                          "text": "getContent(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 228,
+                            "startColumn": 54,
+                            "endLine": 228,
+                            "endColumn": 61
+                          }
+                        },
+                        "message": {
+                          "text": "content : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 298,
+                            "startColumn": 71,
+                            "endLine": 298,
+                            "endColumn": 85
+                          }
+                        },
+                        "message": {
+                          "text": "content : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 302,
+                            "startColumn": 23,
+                            "endLine": 302,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "content"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "getRequestURL(...) : StringBuffer"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 99,
+                            "startColumn": 118,
+                            "endLine": 99,
+                            "endColumn": 135
+                          }
+                        },
+                        "message": {
+                          "text": "requestURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 19,
+                            "endLine": 127,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "fullUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 19,
+                            "endLine": 127,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "trim(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 36,
+                            "endLine": 134,
+                            "endColumn": 39
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 137,
+                            "startColumn": 49,
+                            "endLine": 137,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 141,
+                            "startColumn": 16,
+                            "endLine": 141,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 16,
+                            "endLine": 134,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "removeTrailingSlash(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 16,
+                            "endLine": 88,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 34,
+                            "endLine": 66,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 69,
+                            "startColumn": 62,
+                            "endLine": 69,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "absPath : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 175,
+                            "startColumn": 46,
+                            "endLine": 175,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 176,
+                            "startColumn": 30,
+                            "endLine": 176,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 51,
+                            "startColumn": 27,
+                            "endLine": 51,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 195,
+                            "startColumn": 16,
+                            "endLine": 195,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 63,
+                            "startColumn": 28,
+                            "endLine": 63,
+                            "endColumn": 74
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteContextURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 63,
+                            "startColumn": 17,
+                            "endLine": 63,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "url [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 16,
+                            "endLine": 75,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 16,
+                            "endLine": 75,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 20,
+                            "endLine": 94,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "getWeblogURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 9,
+                            "endLine": 94,
+                            "endColumn": 12
+                          }
+                        },
+                        "message": {
+                          "text": "url [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 12,
+                            "endLine": 97,
+                            "endColumn": 15
+                          }
+                        },
+                        "message": {
+                          "text": "url : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 12,
+                            "endLine": 97,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 747,
+                            "startColumn": 16,
+                            "endLine": 747,
+                            "endColumn": 121
+                          }
+                        },
+                        "message": {
+                          "text": "getWeblogEntryURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 106,
+                            "startColumn": 31,
+                            "endLine": 106,
+                            "endColumn": 75
+                          }
+                        },
+                        "message": {
+                          "text": "getPermalink(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 106,
+                            "startColumn": 21,
+                            "endLine": 106,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "sb [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 23,
+                            "endLine": 127,
+                            "endColumn": 25
+                          }
+                        },
+                        "message": {
+                          "text": "sb : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 23,
+                            "endLine": 127,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 131,
+                            "startColumn": 16,
+                            "endLine": 131,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "content : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 216,
+                            "startColumn": 38,
+                            "endLine": 216,
+                            "endColumn": 64
+                          }
+                        },
+                        "message": {
+                          "text": "getContent(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 228,
+                            "startColumn": 54,
+                            "endLine": 228,
+                            "endColumn": 61
+                          }
+                        },
+                        "message": {
+                          "text": "content : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 298,
+                            "startColumn": 71,
+                            "endLine": 298,
+                            "endColumn": 85
+                          }
+                        },
+                        "message": {
+                          "text": "content : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 302,
+                            "startColumn": 23,
+                            "endLine": 302,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "content"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "getRequestURL(...) : StringBuffer"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 99,
+                            "startColumn": 118,
+                            "endLine": 99,
+                            "endColumn": 135
+                          }
+                        },
+                        "message": {
+                          "text": "requestURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 116,
+                            "startColumn": 40,
+                            "endLine": 116,
+                            "endColumn": 47
+                          }
+                        },
+                        "message": {
+                          "text": "fullUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 137,
+                            "startColumn": 49,
+                            "endLine": 137,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 141,
+                            "startColumn": 16,
+                            "endLine": 141,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 116,
+                            "startColumn": 20,
+                            "endLine": 116,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "removeTrailingSlash(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 16,
+                            "endLine": 88,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 34,
+                            "endLine": 66,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 69,
+                            "startColumn": 62,
+                            "endLine": 69,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "absPath : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 175,
+                            "startColumn": 46,
+                            "endLine": 175,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 176,
+                            "startColumn": 30,
+                            "endLine": 176,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 51,
+                            "startColumn": 27,
+                            "endLine": 51,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 195,
+                            "startColumn": 16,
+                            "endLine": 195,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 24,
+                            "endLine": 58,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteContextURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 13,
+                            "endLine": 58,
+                            "endColumn": 16
+                          }
+                        },
+                        "message": {
+                          "text": "url [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 74,
+                            "startColumn": 16,
+                            "endLine": 74,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 74,
+                            "startColumn": 16,
+                            "endLine": 74,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "append(...) : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 74,
+                            "startColumn": 16,
+                            "endLine": 74,
+                            "endColumn": 74
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 182,
+                            "startColumn": 25,
+                            "endLine": 182,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "getWeblogURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 182,
+                            "startColumn": 9,
+                            "endLine": 182,
+                            "endColumn": 17
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 212,
+                            "startColumn": 16,
+                            "endLine": 212,
+                            "endColumn": 24
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 212,
+                            "startColumn": 16,
+                            "endLine": 212,
+                            "endColumn": 68
+                          }
+                        },
+                        "message": {
+                          "text": "append(...) : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 212,
+                            "startColumn": 16,
+                            "endLine": 212,
+                            "endColumn": 79
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 33,
+                            "endLine": 94,
+                            "endColumn": 154
+                          }
+                        },
+                        "message": {
+                          "text": "getWeblogCollectionURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 98,
+                            "startColumn": 28,
+                            "endLine": 98,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "dayUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 98,
+                            "startColumn": 17,
+                            "endLine": 98,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "sb [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 23,
+                            "endLine": 127,
+                            "endColumn": 25
+                          }
+                        },
+                        "message": {
+                          "text": "sb : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 23,
+                            "endLine": 127,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 131,
+                            "startColumn": 16,
+                            "endLine": 131,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "content : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 216,
+                            "startColumn": 38,
+                            "endLine": 216,
+                            "endColumn": 64
+                          }
+                        },
+                        "message": {
+                          "text": "getContent(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 228,
+                            "startColumn": 54,
+                            "endLine": 228,
+                            "endColumn": 61
+                          }
+                        },
+                        "message": {
+                          "text": "content : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 298,
+                            "startColumn": 71,
+                            "endLine": 298,
+                            "endColumn": 85
+                          }
+                        },
+                        "message": {
+                          "text": "content : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 302,
+                            "startColumn": 23,
+                            "endLine": 302,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "content"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 88,
+                  "startColumn": 42,
+                  "endLine": 88,
+                  "endColumn": 65
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/19",
+            "github/alertNumber": 19
+          }
+        },
+        {
+          "ruleId": "java/xss",
+          "rule": {
+            "id": "java/xss",
+            "index": 71,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "level": "error",
+          "message": {
+            "text": "Cross-site scripting vulnerability due to a [user-provided value](1)."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                  "index": 7
+                },
+                "region": {
+                  "startLine": 307,
+                  "startColumn": 22,
+                  "endLine": 308,
+                  "endColumn": 68
+                }
+              }
+            }
+          ],
+          "correlationGuid": "47fdf168-4a30-4479-a4ee-b5810a9bee24",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "6d90bf8993f560aa:1"
+          },
+          "codeFlows": [
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "getRequestURL(...) : StringBuffer"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 99,
+                            "startColumn": 118,
+                            "endLine": 99,
+                            "endColumn": 135
+                          }
+                        },
+                        "message": {
+                          "text": "requestURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 116,
+                            "startColumn": 40,
+                            "endLine": 116,
+                            "endColumn": 47
+                          }
+                        },
+                        "message": {
+                          "text": "fullUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 137,
+                            "startColumn": 49,
+                            "endLine": 137,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 141,
+                            "startColumn": 16,
+                            "endLine": 141,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 116,
+                            "startColumn": 20,
+                            "endLine": 116,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "removeTrailingSlash(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 16,
+                            "endLine": 88,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 34,
+                            "endLine": 66,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 69,
+                            "startColumn": 62,
+                            "endLine": 69,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "absPath : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 175,
+                            "startColumn": 46,
+                            "endLine": 175,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 176,
+                            "startColumn": 30,
+                            "endLine": 176,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 51,
+                            "startColumn": 27,
+                            "endLine": 51,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 195,
+                            "startColumn": 16,
+                            "endLine": 195,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 138,
+                            "startColumn": 26,
+                            "endLine": 138,
+                            "endColumn": 72
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteContextURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 138,
+                            "startColumn": 10,
+                            "endLine": 138,
+                            "endColumn": 18
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 181,
+                            "startColumn": 16,
+                            "endLine": 181,
+                            "endColumn": 24
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 181,
+                            "startColumn": 16,
+                            "endLine": 181,
+                            "endColumn": 68
+                          }
+                        },
+                        "message": {
+                          "text": "append(...) : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 181,
+                            "startColumn": 16,
+                            "endLine": 181,
+                            "endColumn": 79
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 166,
+                            "startColumn": 23,
+                            "endLine": 166,
+                            "endColumn": 144
+                          }
+                        },
+                        "message": {
+                          "text": "getWeblogCollectionURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 171,
+                            "startColumn": 16,
+                            "endLine": 171,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 215,
+                            "startColumn": 34,
+                            "endLine": 215,
+                            "endColumn": 72
+                          }
+                        },
+                        "message": {
+                          "text": "computeUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 228,
+                            "startColumn": 49,
+                            "endLine": 228,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 298,
+                            "startColumn": 59,
+                            "endLine": 298,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 307,
+                            "startColumn": 22,
+                            "endLine": 308,
+                            "endColumn": 68
+                          }
+                        },
+                        "message": {
+                          "text": "... + ..."
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "getRequestURL(...) : StringBuffer"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 99,
+                            "startColumn": 118,
+                            "endLine": 99,
+                            "endColumn": 135
+                          }
+                        },
+                        "message": {
+                          "text": "requestURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 125,
+                            "startColumn": 19,
+                            "endLine": 125,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "fullUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 125,
+                            "startColumn": 19,
+                            "endLine": 125,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 36,
+                            "endLine": 134,
+                            "endColumn": 39
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 137,
+                            "startColumn": 49,
+                            "endLine": 137,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 139,
+                            "startColumn": 20,
+                            "endLine": 139,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 139,
+                            "startColumn": 20,
+                            "endLine": 139,
+                            "endColumn": 54
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 16,
+                            "endLine": 134,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "removeTrailingSlash(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 16,
+                            "endLine": 88,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 34,
+                            "endLine": 66,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 69,
+                            "startColumn": 62,
+                            "endLine": 69,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "absPath : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 175,
+                            "startColumn": 46,
+                            "endLine": 175,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 176,
+                            "startColumn": 30,
+                            "endLine": 176,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 51,
+                            "startColumn": 27,
+                            "endLine": 51,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 195,
+                            "startColumn": 16,
+                            "endLine": 195,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 207,
+                            "startColumn": 29,
+                            "endLine": 207,
+                            "endColumn": 75
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteContextURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 207,
+                            "startColumn": 13,
+                            "endLine": 207,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 243,
+                            "startColumn": 16,
+                            "endLine": 243,
+                            "endColumn": 24
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 243,
+                            "startColumn": 16,
+                            "endLine": 243,
+                            "endColumn": 68
+                          }
+                        },
+                        "message": {
+                          "text": "append(...) : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 243,
+                            "startColumn": 16,
+                            "endLine": 243,
+                            "endColumn": 79
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java",
+                            "index": 12
+                          },
+                          "region": {
+                            "startLine": 276,
+                            "startColumn": 23,
+                            "endLine": 276,
+                            "endColumn": 154
+                          }
+                        },
+                        "message": {
+                          "text": "getWeblogPageURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java",
+                            "index": 12
+                          },
+                          "region": {
+                            "startLine": 281,
+                            "startColumn": 16,
+                            "endLine": 281,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 215,
+                            "startColumn": 34,
+                            "endLine": 215,
+                            "endColumn": 72
+                          }
+                        },
+                        "message": {
+                          "text": "computeUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 228,
+                            "startColumn": 49,
+                            "endLine": 228,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 298,
+                            "startColumn": 59,
+                            "endLine": 298,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 307,
+                            "startColumn": 22,
+                            "endLine": 308,
+                            "endColumn": 68
+                          }
+                        },
+                        "message": {
+                          "text": "... + ..."
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "getRequestURL(...) : StringBuffer"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 99,
+                            "startColumn": 118,
+                            "endLine": 99,
+                            "endColumn": 135
+                          }
+                        },
+                        "message": {
+                          "text": "requestURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 19,
+                            "endLine": 127,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "fullUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 19,
+                            "endLine": 127,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "trim(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 36,
+                            "endLine": 134,
+                            "endColumn": 39
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 137,
+                            "startColumn": 49,
+                            "endLine": 137,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 141,
+                            "startColumn": 16,
+                            "endLine": 141,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 16,
+                            "endLine": 134,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "removeTrailingSlash(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 16,
+                            "endLine": 88,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 34,
+                            "endLine": 66,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 69,
+                            "startColumn": 62,
+                            "endLine": 69,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "absPath : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 175,
+                            "startColumn": 46,
+                            "endLine": 175,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 176,
+                            "startColumn": 30,
+                            "endLine": 176,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 51,
+                            "startColumn": 27,
+                            "endLine": 51,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 195,
+                            "startColumn": 16,
+                            "endLine": 195,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 63,
+                            "startColumn": 28,
+                            "endLine": 63,
+                            "endColumn": 74
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteContextURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 63,
+                            "startColumn": 17,
+                            "endLine": 63,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "url [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 16,
+                            "endLine": 75,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 16,
+                            "endLine": 75,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 182,
+                            "startColumn": 25,
+                            "endLine": 182,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "getWeblogURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 182,
+                            "startColumn": 9,
+                            "endLine": 182,
+                            "endColumn": 17
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 212,
+                            "startColumn": 16,
+                            "endLine": 212,
+                            "endColumn": 24
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 212,
+                            "startColumn": 16,
+                            "endLine": 212,
+                            "endColumn": 68
+                          }
+                        },
+                        "message": {
+                          "text": "append(...) : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 212,
+                            "startColumn": 16,
+                            "endLine": 212,
+                            "endColumn": 79
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java",
+                            "index": 12
+                          },
+                          "region": {
+                            "startLine": 273,
+                            "startColumn": 23,
+                            "endLine": 273,
+                            "endColumn": 144
+                          }
+                        },
+                        "message": {
+                          "text": "getWeblogCollectionURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/WeblogCalendarModel.java",
+                            "index": 12
+                          },
+                          "region": {
+                            "startLine": 281,
+                            "startColumn": 16,
+                            "endLine": 281,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 215,
+                            "startColumn": 34,
+                            "endLine": 215,
+                            "endColumn": 72
+                          }
+                        },
+                        "message": {
+                          "text": "computeUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 228,
+                            "startColumn": 49,
+                            "endLine": 228,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 298,
+                            "startColumn": 59,
+                            "endLine": 298,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 307,
+                            "startColumn": 22,
+                            "endLine": 308,
+                            "endColumn": 68
+                          }
+                        },
+                        "message": {
+                          "text": "... + ..."
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "getRequestURL(...) : StringBuffer"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 99,
+                            "startColumn": 118,
+                            "endLine": 99,
+                            "endColumn": 135
+                          }
+                        },
+                        "message": {
+                          "text": "requestURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 116,
+                            "startColumn": 40,
+                            "endLine": 116,
+                            "endColumn": 47
+                          }
+                        },
+                        "message": {
+                          "text": "fullUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 137,
+                            "startColumn": 49,
+                            "endLine": 137,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 141,
+                            "startColumn": 16,
+                            "endLine": 141,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 116,
+                            "startColumn": 20,
+                            "endLine": 116,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "removeTrailingSlash(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 16,
+                            "endLine": 88,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 34,
+                            "endLine": 66,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 69,
+                            "startColumn": 62,
+                            "endLine": 69,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "absPath : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 175,
+                            "startColumn": 46,
+                            "endLine": 175,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 176,
+                            "startColumn": 30,
+                            "endLine": 176,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 51,
+                            "startColumn": 27,
+                            "endLine": 51,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 195,
+                            "startColumn": 16,
+                            "endLine": 195,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 24,
+                            "endLine": 58,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteContextURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 13,
+                            "endLine": 58,
+                            "endColumn": 16
+                          }
+                        },
+                        "message": {
+                          "text": "url [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 74,
+                            "startColumn": 16,
+                            "endLine": 74,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 74,
+                            "startColumn": 16,
+                            "endLine": 74,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "append(...) : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/PreviewURLStrategy.java",
+                            "index": 10
+                          },
+                          "region": {
+                            "startLine": 74,
+                            "startColumn": 16,
+                            "endLine": 74,
+                            "endColumn": 74
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 237,
+                            "startColumn": 25,
+                            "endLine": 237,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "getWeblogURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 237,
+                            "startColumn": 9,
+                            "endLine": 237,
+                            "endColumn": 17
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 260,
+                            "startColumn": 16,
+                            "endLine": 260,
+                            "endColumn": 24
+                          }
+                        },
+                        "message": {
+                          "text": "pathinfo : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 260,
+                            "startColumn": 16,
+                            "endLine": 260,
+                            "endColumn": 68
+                          }
+                        },
+                        "message": {
+                          "text": "append(...) : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/MultiWeblogURLStrategy.java",
+                            "index": 13
+                          },
+                          "region": {
+                            "startLine": 260,
+                            "startColumn": 16,
+                            "endLine": 260,
+                            "endColumn": 79
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 163,
+                            "startColumn": 23,
+                            "endLine": 163,
+                            "endColumn": 154
+                          }
+                        },
+                        "message": {
+                          "text": "getWeblogPageURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/BigWeblogCalendarModel.java",
+                            "index": 11
+                          },
+                          "region": {
+                            "startLine": 171,
+                            "startColumn": 16,
+                            "endLine": 171,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 215,
+                            "startColumn": 34,
+                            "endLine": 215,
+                            "endColumn": 72
+                          }
+                        },
+                        "message": {
+                          "text": "computeUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 228,
+                            "startColumn": 49,
+                            "endLine": 228,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 298,
+                            "startColumn": 59,
+                            "endLine": 298,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/tags/calendar/CalendarTag.java",
+                            "index": 7
+                          },
+                          "region": {
+                            "startLine": 307,
+                            "startColumn": 22,
+                            "endLine": 308,
+                            "endColumn": 68
+                          }
+                        },
+                        "message": {
+                          "text": "... + ..."
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 88,
+                  "startColumn": 42,
+                  "endLine": 88,
+                  "endColumn": 65
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/20",
+            "github/alertNumber": 20
+          }
+        },
+        {
+          "ruleId": "java/xss",
+          "rule": {
+            "id": "java/xss",
+            "index": 71,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "level": "error",
+          "message": {
+            "text": "Cross-site scripting vulnerability due to a [user-provided value](1).\nCross-site scripting vulnerability due to a [user-provided value](2)."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/rendering/servlets/CommentAuthenticatorServlet.java",
+                  "index": 15
+                },
+                "region": {
+                  "startLine": 66,
+                  "startColumn": 21,
+                  "endLine": 66,
+                  "endColumn": 56
+                }
+              }
+            }
+          ],
+          "correlationGuid": "1b6fba72-5d1f-48f1-9f91-ddaa6ff07f20",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "e41b363d572cf6d8:1"
+          },
+          "codeFlows": [
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/rendering/plugins/comments/LdapCommentAuthenticator.java",
+                            "index": 16
+                          },
+                          "region": {
+                            "startLine": 72,
+                            "startColumn": 26,
+                            "endLine": 72,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "getParameter(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/rendering/plugins/comments/LdapCommentAuthenticator.java",
+                            "index": 16
+                          },
+                          "region": {
+                            "startLine": 87,
+                            "startColumn": 13,
+                            "endLine": 87,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "... + ... : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/rendering/plugins/comments/LdapCommentAuthenticator.java",
+                            "index": 16
+                          },
+                          "region": {
+                            "startLine": 87,
+                            "startColumn": 3,
+                            "endLine": 87,
+                            "endColumn": 5
+                          }
+                        },
+                        "message": {
+                          "text": "sb [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/rendering/plugins/comments/LdapCommentAuthenticator.java",
+                            "index": 16
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 10,
+                            "endLine": 97,
+                            "endColumn": 12
+                          }
+                        },
+                        "message": {
+                          "text": "sb : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/rendering/plugins/comments/LdapCommentAuthenticator.java",
+                            "index": 16
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 10,
+                            "endLine": 97,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/rendering/servlets/CommentAuthenticatorServlet.java",
+                            "index": 15
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 21,
+                            "endLine": 66,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "getHtml(...)"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/rendering/plugins/comments/LdapCommentAuthenticator.java",
+                            "index": 16
+                          },
+                          "region": {
+                            "startLine": 73,
+                            "startColumn": 26,
+                            "endLine": 73,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "getParameter(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/rendering/plugins/comments/LdapCommentAuthenticator.java",
+                            "index": 16
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 13,
+                            "endLine": 94,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "... + ... : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/rendering/plugins/comments/LdapCommentAuthenticator.java",
+                            "index": 16
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 3,
+                            "endLine": 94,
+                            "endColumn": 5
+                          }
+                        },
+                        "message": {
+                          "text": "sb [post update] : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/rendering/plugins/comments/LdapCommentAuthenticator.java",
+                            "index": 16
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 10,
+                            "endLine": 97,
+                            "endColumn": 12
+                          }
+                        },
+                        "message": {
+                          "text": "sb : StringBuilder"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/rendering/plugins/comments/LdapCommentAuthenticator.java",
+                            "index": 16
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 10,
+                            "endLine": 97,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/rendering/servlets/CommentAuthenticatorServlet.java",
+                            "index": 15
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 21,
+                            "endLine": 66,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "getHtml(...)"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/rendering/plugins/comments/LdapCommentAuthenticator.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 72,
+                  "startColumn": 26,
+                  "endLine": 72,
+                  "endColumn": 58
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 2,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/rendering/plugins/comments/LdapCommentAuthenticator.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 73,
+                  "startColumn": 26,
+                  "endLine": 73,
+                  "endColumn": 58
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/21",
+            "github/alertNumber": 21
+          }
+        },
+        {
+          "ruleId": "java/path-injection",
+          "rule": {
+            "id": "java/path-injection",
+            "index": 37,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "level": "error",
+          "message": {
+            "text": "This path depends on a [user-provided value](1)."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarksImport.java",
+                  "index": 17
+                },
+                "region": {
+                  "startLine": 81,
+                  "startColumn": 37,
+                  "endLine": 81,
+                  "endColumn": 50
+                }
+              }
+            }
+          ],
+          "correlationGuid": "41fb6220-c807-46cf-8acf-a02ad395aa77",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "cf23dfd372a61ea3:1"
+          },
+          "codeFlows": [
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarksImport.java",
+                            "index": 17
+                          },
+                          "region": {
+                            "startLine": 50,
+                            "startColumn": 18,
+                            "endLine": 50,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "opmlFile : File"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarksImport.java",
+                            "index": 17
+                          },
+                          "region": {
+                            "startLine": 142,
+                            "startColumn": 16,
+                            "endLine": 142,
+                            "endColumn": 24
+                          }
+                        },
+                        "message": {
+                          "text": "opmlFile : File"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarksImport.java",
+                            "index": 17
+                          },
+                          "region": {
+                            "startLine": 81,
+                            "startColumn": 37,
+                            "endLine": 81,
+                            "endColumn": 50
+                          }
+                        },
+                        "message": {
+                          "text": "getOpmlFile(...)"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarksImport.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 50,
+                  "startColumn": 18,
+                  "endLine": 50,
+                  "endColumn": 26
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/22",
+            "github/alertNumber": 22
+          }
+        },
+        {
+          "ruleId": "java/path-injection",
+          "rule": {
+            "id": "java/path-injection",
+            "index": 37,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "level": "error",
+          "message": {
+            "text": "This path depends on a [user-provided value](1)."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarksImport.java",
+                  "index": 17
+                },
+                "region": {
+                  "startLine": 86,
+                  "startColumn": 50,
+                  "endLine": 86,
+                  "endColumn": 63
+                }
+              }
+            }
+          ],
+          "correlationGuid": "19ac3ae8-6aee-4c71-83e5-3ad805b42e72",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "103f70b0007fdfad:1"
+          },
+          "codeFlows": [
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarksImport.java",
+                            "index": 17
+                          },
+                          "region": {
+                            "startLine": 50,
+                            "startColumn": 18,
+                            "endLine": 50,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "opmlFile : File"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarksImport.java",
+                            "index": 17
+                          },
+                          "region": {
+                            "startLine": 142,
+                            "startColumn": 16,
+                            "endLine": 142,
+                            "endColumn": 24
+                          }
+                        },
+                        "message": {
+                          "text": "opmlFile : File"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarksImport.java",
+                            "index": 17
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 50,
+                            "endLine": 86,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "getOpmlFile(...)"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarksImport.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 50,
+                  "startColumn": 18,
+                  "endLine": 50,
+                  "endColumn": 26
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/23",
+            "github/alertNumber": 23
+          }
+        },
+        {
+          "ruleId": "java/path-injection",
+          "rule": {
+            "id": "java/path-injection",
+            "index": 37,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "level": "error",
+          "message": {
+            "text": "This path depends on a [user-provided value](1)."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarksImport.java",
+                  "index": 17
+                },
+                "region": {
+                  "startLine": 112,
+                  "startColumn": 21,
+                  "endLine": 112,
+                  "endColumn": 34
+                }
+              }
+            }
+          ],
+          "correlationGuid": "bd7ccb79-f108-47d2-ba9c-03ae9ca99d04",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "9a91c0ae5a3ea9d:1"
+          },
+          "codeFlows": [
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarksImport.java",
+                            "index": 17
+                          },
+                          "region": {
+                            "startLine": 50,
+                            "startColumn": 18,
+                            "endLine": 50,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "opmlFile : File"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarksImport.java",
+                            "index": 17
+                          },
+                          "region": {
+                            "startLine": 142,
+                            "startColumn": 16,
+                            "endLine": 142,
+                            "endColumn": 24
+                          }
+                        },
+                        "message": {
+                          "text": "opmlFile : File"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarksImport.java",
+                            "index": 17
+                          },
+                          "region": {
+                            "startLine": 112,
+                            "startColumn": 21,
+                            "endLine": 112,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "getOpmlFile(...)"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarksImport.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 50,
+                  "startColumn": 18,
+                  "endLine": 50,
+                  "endColumn": 26
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/24",
+            "github/alertNumber": 24
+          }
+        },
+        {
+          "ruleId": "java/path-injection",
+          "rule": {
+            "id": "java/path-injection",
+            "index": 37,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "level": "error",
+          "message": {
+            "text": "This path depends on a [user-provided value](1)."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/MediaFileAdd.java",
+                  "index": 18
+                },
+                "region": {
+                  "startLine": 147,
+                  "startColumn": 48,
+                  "endLine": 147,
+                  "endColumn": 58
+                }
+              }
+            }
+          ],
+          "correlationGuid": "16ab249d-cb7d-4003-bb25-4237836305d5",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "77597f482b4d5d50:1"
+          },
+          "codeFlows": [
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/MediaFileAdd.java",
+                            "index": 18
+                          },
+                          "region": {
+                            "startLine": 53,
+                            "startColumn": 20,
+                            "endLine": 53,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "uploadedFiles : File[]"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/MediaFileAdd.java",
+                            "index": 18
+                          },
+                          "region": {
+                            "startLine": 266,
+                            "startColumn": 16,
+                            "endLine": 266,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "uploadedFiles : File[]"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/MediaFileAdd.java",
+                            "index": 18
+                          },
+                          "region": {
+                            "startLine": 139,
+                            "startColumn": 30,
+                            "endLine": 139,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "getUploadedFiles(...) : File[]"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/MediaFileAdd.java",
+                            "index": 18
+                          },
+                          "region": {
+                            "startLine": 147,
+                            "startColumn": 48,
+                            "endLine": 147,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "...[...]"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/MediaFileAdd.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 53,
+                  "startColumn": 20,
+                  "endLine": 53,
+                  "endColumn": 33
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/25",
+            "github/alertNumber": 25
+          }
+        },
+        {
+          "ruleId": "java/path-injection",
+          "rule": {
+            "id": "java/path-injection",
+            "index": 37,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "level": "error",
+          "message": {
+            "text": "This path depends on a [user-provided value](1)."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/MediaFileAdd.java",
+                  "index": 18
+                },
+                "region": {
+                  "startLine": 175,
+                  "startColumn": 33,
+                  "endLine": 175,
+                  "endColumn": 54
+                }
+              }
+            }
+          ],
+          "correlationGuid": "485410bf-8cbf-48eb-8680-82e1d52843ff",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "2b2bb9cdd3635201:1"
+          },
+          "codeFlows": [
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/MediaFileAdd.java",
+                            "index": 18
+                          },
+                          "region": {
+                            "startLine": 53,
+                            "startColumn": 20,
+                            "endLine": 53,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "uploadedFiles : File[]"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/MediaFileAdd.java",
+                            "index": 18
+                          },
+                          "region": {
+                            "startLine": 173,
+                            "startColumn": 45,
+                            "endLine": 173,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "this.uploadedFiles : File[]"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/MediaFileAdd.java",
+                            "index": 18
+                          },
+                          "region": {
+                            "startLine": 175,
+                            "startColumn": 33,
+                            "endLine": 175,
+                            "endColumn": 54
+                          }
+                        },
+                        "message": {
+                          "text": "...[...]"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/MediaFileAdd.java",
+                            "index": 18
+                          },
+                          "region": {
+                            "startLine": 53,
+                            "startColumn": 20,
+                            "endLine": 53,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "uploadedFiles : File[]"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/MediaFileAdd.java",
+                            "index": 18
+                          },
+                          "region": {
+                            "startLine": 175,
+                            "startColumn": 33,
+                            "endLine": 175,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "this.uploadedFiles : File[]"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/MediaFileAdd.java",
+                            "index": 18
+                          },
+                          "region": {
+                            "startLine": 175,
+                            "startColumn": 33,
+                            "endLine": 175,
+                            "endColumn": 54
+                          }
+                        },
+                        "message": {
+                          "text": "...[...]"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/MediaFileAdd.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 53,
+                  "startColumn": 20,
+                  "endLine": 53,
+                  "endColumn": 33
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/26",
+            "github/alertNumber": 26
+          }
+        },
+        {
+          "ruleId": "java/path-injection",
+          "rule": {
+            "id": "java/path-injection",
+            "index": 37,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "level": "error",
+          "message": {
+            "text": "This path depends on a [user-provided value](1)."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/MediaFileEdit.java",
+                  "index": 19
+                },
+                "region": {
+                  "startLine": 129,
+                  "startColumn": 49,
+                  "endLine": 129,
+                  "endColumn": 66
+                }
+              }
+            }
+          ],
+          "correlationGuid": "3088f3ec-6971-4d9e-98fc-8f02dfab52c3",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "9449418b46954eb:1"
+          },
+          "codeFlows": [
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/MediaFileEdit.java",
+                            "index": 19
+                          },
+                          "region": {
+                            "startLine": 47,
+                            "startColumn": 18,
+                            "endLine": 47,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "uploadedFile : File"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/MediaFileEdit.java",
+                            "index": 19
+                          },
+                          "region": {
+                            "startLine": 129,
+                            "startColumn": 49,
+                            "endLine": 129,
+                            "endColumn": 66
+                          }
+                        },
+                        "message": {
+                          "text": "this.uploadedFile"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/MediaFileEdit.java",
+                            "index": 19
+                          },
+                          "region": {
+                            "startLine": 47,
+                            "startColumn": 18,
+                            "endLine": 47,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "uploadedFile : File"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/MediaFileEdit.java",
+                            "index": 19
+                          },
+                          "region": {
+                            "startLine": 125,
+                            "startColumn": 21,
+                            "endLine": 125,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "uploadedFile : File"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/MediaFileEdit.java",
+                            "index": 19
+                          },
+                          "region": {
+                            "startLine": 129,
+                            "startColumn": 49,
+                            "endLine": 129,
+                            "endColumn": 66
+                          }
+                        },
+                        "message": {
+                          "text": "this.uploadedFile"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/MediaFileEdit.java",
+                            "index": 19
+                          },
+                          "region": {
+                            "startLine": 47,
+                            "startColumn": 18,
+                            "endLine": 47,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "uploadedFile : File"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/MediaFileEdit.java",
+                            "index": 19
+                          },
+                          "region": {
+                            "startLine": 126,
+                            "startColumn": 41,
+                            "endLine": 126,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "this.uploadedFile : File"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/MediaFileEdit.java",
+                            "index": 19
+                          },
+                          "region": {
+                            "startLine": 129,
+                            "startColumn": 49,
+                            "endLine": 129,
+                            "endColumn": 66
+                          }
+                        },
+                        "message": {
+                          "text": "this.uploadedFile"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/MediaFileEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 47,
+                  "startColumn": 18,
+                  "endLine": 47,
+                  "endColumn": 30
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/27",
+            "github/alertNumber": 27
+          }
+        },
+        {
+          "ruleId": "java/polynomial-redos",
+          "rule": {
+            "id": "java/polynomial-redos",
+            "index": 38,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "message": {
+            "text": "This [regular expression](1) that depends on a [user-provided value](2) may run slow on strings starting with 'b' and with many repetitions of 'b'."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                  "index": 20
+                },
+                "region": {
+                  "startLine": 62,
+                  "startColumn": 52,
+                  "endLine": 62,
+                  "endColumn": 55
+                }
+              }
+            }
+          ],
+          "correlationGuid": "2f63c4a7-4170-47c8-917b-9ca3a0115f38",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "f22c138a13ff3a37:1"
+          },
+          "codeFlows": [
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 25,
+                            "endLine": 75,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 323,
+                            "startColumn": 16,
+                            "endLine": 323,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 53,
+                            "endLine": 387,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "getEntry(...) : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 22,
+                            "endLine": 58,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 21,
+                            "endLine": 89,
+                            "endColumn": 27
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 13,
+                            "endLine": 89,
+                            "endColumn": 18
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> [post update] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 12,
+                            "endLine": 58,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this [Return] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 39,
+                            "endLine": 388,
+                            "endColumn": 43
+                          }
+                        },
+                        "message": {
+                          "text": "new Trackback(...) : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 389,
+                            "startColumn": 27,
+                            "endLine": 389,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "trackback : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 100,
+                            "startColumn": 27,
+                            "endLine": 100,
+                            "endColumn": 31
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1018,
+                            "startColumn": 19,
+                            "endLine": 1018,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1019,
+                            "startColumn": 16,
+                            "endLine": 1019,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 980,
+                            "startColumn": 19,
+                            "endLine": 980,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 988,
+                            "startColumn": 34,
+                            "endLine": 988,
+                            "endColumn": 38
+                          }
+                        },
+                        "message": {
+                          "text": "this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 897,
+                            "startColumn": 19,
+                            "endLine": 897,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 898,
+                            "startColumn": 23,
+                            "endLine": 898,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 302,
+                            "startColumn": 19,
+                            "endLine": 302,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 303,
+                            "startColumn": 16,
+                            "endLine": 303,
+                            "endColumn": 25
+                          }
+                        },
+                        "message": {
+                          "text": "this.text : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 898,
+                            "startColumn": 23,
+                            "endLine": 898,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "getText(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 943,
+                            "startColumn": 27,
+                            "endLine": 943,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 960,
+                            "startColumn": 59,
+                            "endLine": 960,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 65,
+                            "startColumn": 45,
+                            "endLine": 65,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 38,
+                            "endLine": 66,
+                            "endColumn": 41
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 41,
+                            "startColumn": 38,
+                            "endLine": 41,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 52,
+                            "startColumn": 31,
+                            "endLine": 52,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 61,
+                            "startColumn": 41,
+                            "endLine": 61,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 62,
+                            "startColumn": 52,
+                            "endLine": 62,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 25,
+                            "endLine": 75,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 323,
+                            "startColumn": 16,
+                            "endLine": 323,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 53,
+                            "endLine": 387,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "getEntry(...) : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 22,
+                            "endLine": 58,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 21,
+                            "endLine": 89,
+                            "endColumn": 27
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 13,
+                            "endLine": 89,
+                            "endColumn": 18
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> [post update] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 12,
+                            "endLine": 58,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this [Return] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 39,
+                            "endLine": 388,
+                            "endColumn": 43
+                          }
+                        },
+                        "message": {
+                          "text": "new Trackback(...) : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 389,
+                            "startColumn": 27,
+                            "endLine": 389,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "trackback : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 100,
+                            "startColumn": 27,
+                            "endLine": 100,
+                            "endColumn": 31
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 107,
+                            "startColumn": 24,
+                            "endLine": 107,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 107,
+                            "startColumn": 24,
+                            "endLine": 107,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1018,
+                            "startColumn": 19,
+                            "endLine": 1018,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1019,
+                            "startColumn": 16,
+                            "endLine": 1019,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 980,
+                            "startColumn": 19,
+                            "endLine": 980,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 990,
+                            "startColumn": 34,
+                            "endLine": 990,
+                            "endColumn": 38
+                          }
+                        },
+                        "message": {
+                          "text": "this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 904,
+                            "startColumn": 19,
+                            "endLine": 904,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 905,
+                            "startColumn": 23,
+                            "endLine": 905,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 274,
+                            "startColumn": 19,
+                            "endLine": 274,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 275,
+                            "startColumn": 16,
+                            "endLine": 275,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "summary : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 905,
+                            "startColumn": 23,
+                            "endLine": 905,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "getSummary(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 943,
+                            "startColumn": 27,
+                            "endLine": 943,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 960,
+                            "startColumn": 59,
+                            "endLine": 960,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 65,
+                            "startColumn": 45,
+                            "endLine": 65,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 38,
+                            "endLine": 66,
+                            "endColumn": 41
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 41,
+                            "startColumn": 38,
+                            "endLine": 41,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 49,
+                            "startColumn": 19,
+                            "endLine": 49,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 49,
+                            "startColumn": 19,
+                            "endLine": 49,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "replaceFirst(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 52,
+                            "startColumn": 31,
+                            "endLine": 52,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 61,
+                            "startColumn": 41,
+                            "endLine": 61,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 62,
+                            "startColumn": 52,
+                            "endLine": 62,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 25,
+                            "endLine": 75,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 323,
+                            "startColumn": 16,
+                            "endLine": 323,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 53,
+                            "endLine": 387,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "getEntry(...) : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 22,
+                            "endLine": 58,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 21,
+                            "endLine": 89,
+                            "endColumn": 27
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 13,
+                            "endLine": 89,
+                            "endColumn": 18
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> [post update] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 12,
+                            "endLine": 58,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this [Return] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 39,
+                            "endLine": 388,
+                            "endColumn": 43
+                          }
+                        },
+                        "message": {
+                          "text": "new Trackback(...) : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 389,
+                            "startColumn": 27,
+                            "endLine": 389,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "trackback : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 100,
+                            "startColumn": 27,
+                            "endLine": 100,
+                            "endColumn": 31
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1018,
+                            "startColumn": 19,
+                            "endLine": 1018,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1019,
+                            "startColumn": 16,
+                            "endLine": 1019,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 980,
+                            "startColumn": 19,
+                            "endLine": 980,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 996,
+                            "startColumn": 34,
+                            "endLine": 996,
+                            "endColumn": 38
+                          }
+                        },
+                        "message": {
+                          "text": "this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 904,
+                            "startColumn": 19,
+                            "endLine": 904,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 905,
+                            "startColumn": 23,
+                            "endLine": 905,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 274,
+                            "startColumn": 19,
+                            "endLine": 274,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 275,
+                            "startColumn": 16,
+                            "endLine": 275,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "summary : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 905,
+                            "startColumn": 23,
+                            "endLine": 905,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "getSummary(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 943,
+                            "startColumn": 27,
+                            "endLine": 943,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 960,
+                            "startColumn": 59,
+                            "endLine": 960,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 65,
+                            "startColumn": 45,
+                            "endLine": 65,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 38,
+                            "endLine": 66,
+                            "endColumn": 41
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 41,
+                            "startColumn": 38,
+                            "endLine": 41,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 52,
+                            "startColumn": 31,
+                            "endLine": 52,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 61,
+                            "startColumn": 41,
+                            "endLine": 61,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 62,
+                            "startColumn": 52,
+                            "endLine": 62,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 25,
+                            "endLine": 75,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 323,
+                            "startColumn": 16,
+                            "endLine": 323,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 53,
+                            "endLine": 387,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "getEntry(...) : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 22,
+                            "endLine": 58,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 21,
+                            "endLine": 89,
+                            "endColumn": 27
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 13,
+                            "endLine": 89,
+                            "endColumn": 18
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> [post update] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 12,
+                            "endLine": 58,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this [Return] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 39,
+                            "endLine": 388,
+                            "endColumn": 43
+                          }
+                        },
+                        "message": {
+                          "text": "new Trackback(...) : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 389,
+                            "startColumn": 27,
+                            "endLine": 389,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "trackback : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 100,
+                            "startColumn": 27,
+                            "endLine": 100,
+                            "endColumn": 31
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1018,
+                            "startColumn": 19,
+                            "endLine": 1018,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1019,
+                            "startColumn": 16,
+                            "endLine": 1019,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 980,
+                            "startColumn": 19,
+                            "endLine": 980,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1007,
+                            "startColumn": 34,
+                            "endLine": 1007,
+                            "endColumn": 38
+                          }
+                        },
+                        "message": {
+                          "text": "this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 897,
+                            "startColumn": 19,
+                            "endLine": 897,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 898,
+                            "startColumn": 23,
+                            "endLine": 898,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 302,
+                            "startColumn": 19,
+                            "endLine": 302,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 303,
+                            "startColumn": 16,
+                            "endLine": 303,
+                            "endColumn": 25
+                          }
+                        },
+                        "message": {
+                          "text": "this.text : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 898,
+                            "startColumn": 23,
+                            "endLine": 898,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "getText(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 943,
+                            "startColumn": 27,
+                            "endLine": 943,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 960,
+                            "startColumn": 59,
+                            "endLine": 960,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 65,
+                            "startColumn": 45,
+                            "endLine": 65,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 38,
+                            "endLine": 66,
+                            "endColumn": 41
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 41,
+                            "startColumn": 38,
+                            "endLine": 41,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 52,
+                            "startColumn": 31,
+                            "endLine": 52,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 61,
+                            "startColumn": 41,
+                            "endLine": 61,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 62,
+                            "startColumn": 52,
+                            "endLine": 62,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 38,
+                  "startColumn": 33,
+                  "endLine": 38,
+                  "endColumn": 51
+                }
+              },
+              "message": {
+                "text": "regular expression"
+              }
+            },
+            {
+              "id": 2,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 75,
+                  "startColumn": 25,
+                  "endLine": 75,
+                  "endColumn": 30
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/28",
+            "github/alertNumber": 28
+          }
+        },
+        {
+          "ruleId": "java/polynomial-redos",
+          "rule": {
+            "id": "java/polynomial-redos",
+            "index": 38,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "message": {
+            "text": "This [regular expression](1) that depends on a [user-provided value](2) may run slow on strings starting with '' and with many repetitions of '
a'."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                  "index": 24
+                },
+                "region": {
+                  "startLine": 61,
+                  "startColumn": 51,
+                  "endLine": 61,
+                  "endColumn": 54
+                }
+              }
+            }
+          ],
+          "correlationGuid": "f9b0a3a9-8833-461c-93ec-3a12c3a72f91",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "80ff14788737bca8:1"
+          },
+          "codeFlows": [
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 25,
+                            "endLine": 75,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 323,
+                            "startColumn": 16,
+                            "endLine": 323,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 53,
+                            "endLine": 387,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "getEntry(...) : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 22,
+                            "endLine": 58,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 21,
+                            "endLine": 89,
+                            "endColumn": 27
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 13,
+                            "endLine": 89,
+                            "endColumn": 18
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> [post update] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 12,
+                            "endLine": 58,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this [Return] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 39,
+                            "endLine": 388,
+                            "endColumn": 43
+                          }
+                        },
+                        "message": {
+                          "text": "new Trackback(...) : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 389,
+                            "startColumn": 27,
+                            "endLine": 389,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "trackback : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 100,
+                            "startColumn": 27,
+                            "endLine": 100,
+                            "endColumn": 31
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1018,
+                            "startColumn": 19,
+                            "endLine": 1018,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1019,
+                            "startColumn": 16,
+                            "endLine": 1019,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 980,
+                            "startColumn": 19,
+                            "endLine": 980,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 988,
+                            "startColumn": 34,
+                            "endLine": 988,
+                            "endColumn": 38
+                          }
+                        },
+                        "message": {
+                          "text": "this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 897,
+                            "startColumn": 19,
+                            "endLine": 897,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 898,
+                            "startColumn": 23,
+                            "endLine": 898,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 302,
+                            "startColumn": 19,
+                            "endLine": 302,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 303,
+                            "startColumn": 16,
+                            "endLine": 303,
+                            "endColumn": 25
+                          }
+                        },
+                        "message": {
+                          "text": "this.text : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 898,
+                            "startColumn": 23,
+                            "endLine": 898,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "getText(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 943,
+                            "startColumn": 27,
+                            "endLine": 943,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 960,
+                            "startColumn": 59,
+                            "endLine": 960,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 57,
+                            "startColumn": 45,
+                            "endLine": 57,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 61,
+                            "startColumn": 51,
+                            "endLine": 61,
+                            "endColumn": 54
+                          }
+                        },
+                        "message": {
+                          "text": "str"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 25,
+                            "endLine": 75,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 323,
+                            "startColumn": 16,
+                            "endLine": 323,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 53,
+                            "endLine": 387,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "getEntry(...) : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 22,
+                            "endLine": 58,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 21,
+                            "endLine": 89,
+                            "endColumn": 27
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 13,
+                            "endLine": 89,
+                            "endColumn": 18
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> [post update] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 12,
+                            "endLine": 58,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this [Return] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 39,
+                            "endLine": 388,
+                            "endColumn": 43
+                          }
+                        },
+                        "message": {
+                          "text": "new Trackback(...) : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 389,
+                            "startColumn": 27,
+                            "endLine": 389,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "trackback : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 100,
+                            "startColumn": 27,
+                            "endLine": 100,
+                            "endColumn": 31
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1018,
+                            "startColumn": 19,
+                            "endLine": 1018,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1019,
+                            "startColumn": 16,
+                            "endLine": 1019,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 980,
+                            "startColumn": 19,
+                            "endLine": 980,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 996,
+                            "startColumn": 34,
+                            "endLine": 996,
+                            "endColumn": 38
+                          }
+                        },
+                        "message": {
+                          "text": "this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 904,
+                            "startColumn": 19,
+                            "endLine": 904,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 905,
+                            "startColumn": 23,
+                            "endLine": 905,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 274,
+                            "startColumn": 19,
+                            "endLine": 274,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 275,
+                            "startColumn": 16,
+                            "endLine": 275,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "summary : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 905,
+                            "startColumn": 23,
+                            "endLine": 905,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "getSummary(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 943,
+                            "startColumn": 27,
+                            "endLine": 943,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 960,
+                            "startColumn": 59,
+                            "endLine": 960,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 57,
+                            "startColumn": 45,
+                            "endLine": 57,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 61,
+                            "startColumn": 51,
+                            "endLine": 61,
+                            "endColumn": 54
+                          }
+                        },
+                        "message": {
+                          "text": "str"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 25,
+                            "endLine": 75,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 323,
+                            "startColumn": 16,
+                            "endLine": 323,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 53,
+                            "endLine": 387,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "getEntry(...) : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 22,
+                            "endLine": 58,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 21,
+                            "endLine": 89,
+                            "endColumn": 27
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 13,
+                            "endLine": 89,
+                            "endColumn": 18
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> [post update] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 12,
+                            "endLine": 58,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this [Return] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 39,
+                            "endLine": 388,
+                            "endColumn": 43
+                          }
+                        },
+                        "message": {
+                          "text": "new Trackback(...) : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 389,
+                            "startColumn": 27,
+                            "endLine": 389,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "trackback : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 100,
+                            "startColumn": 27,
+                            "endLine": 100,
+                            "endColumn": 31
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 107,
+                            "startColumn": 24,
+                            "endLine": 107,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 107,
+                            "startColumn": 24,
+                            "endLine": 107,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1018,
+                            "startColumn": 19,
+                            "endLine": 1018,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1019,
+                            "startColumn": 16,
+                            "endLine": 1019,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 980,
+                            "startColumn": 19,
+                            "endLine": 980,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 990,
+                            "startColumn": 34,
+                            "endLine": 990,
+                            "endColumn": 38
+                          }
+                        },
+                        "message": {
+                          "text": "this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 904,
+                            "startColumn": 19,
+                            "endLine": 904,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 905,
+                            "startColumn": 23,
+                            "endLine": 905,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 274,
+                            "startColumn": 19,
+                            "endLine": 274,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 275,
+                            "startColumn": 16,
+                            "endLine": 275,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "summary : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 905,
+                            "startColumn": 23,
+                            "endLine": 905,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "getSummary(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 943,
+                            "startColumn": 27,
+                            "endLine": 943,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 960,
+                            "startColumn": 59,
+                            "endLine": 960,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 57,
+                            "startColumn": 45,
+                            "endLine": 57,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 61,
+                            "startColumn": 51,
+                            "endLine": 61,
+                            "endColumn": 54
+                          }
+                        },
+                        "message": {
+                          "text": "str"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 25,
+                            "endLine": 75,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 323,
+                            "startColumn": 16,
+                            "endLine": 323,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 53,
+                            "endLine": 387,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "getEntry(...) : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 22,
+                            "endLine": 58,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 21,
+                            "endLine": 89,
+                            "endColumn": 27
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 13,
+                            "endLine": 89,
+                            "endColumn": 18
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> [post update] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 12,
+                            "endLine": 58,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this [Return] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 39,
+                            "endLine": 388,
+                            "endColumn": 43
+                          }
+                        },
+                        "message": {
+                          "text": "new Trackback(...) : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 389,
+                            "startColumn": 27,
+                            "endLine": 389,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "trackback : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 100,
+                            "startColumn": 27,
+                            "endLine": 100,
+                            "endColumn": 31
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1018,
+                            "startColumn": 19,
+                            "endLine": 1018,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1019,
+                            "startColumn": 16,
+                            "endLine": 1019,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 980,
+                            "startColumn": 19,
+                            "endLine": 980,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1007,
+                            "startColumn": 34,
+                            "endLine": 1007,
+                            "endColumn": 38
+                          }
+                        },
+                        "message": {
+                          "text": "this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 897,
+                            "startColumn": 19,
+                            "endLine": 897,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 898,
+                            "startColumn": 23,
+                            "endLine": 898,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 302,
+                            "startColumn": 19,
+                            "endLine": 302,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 303,
+                            "startColumn": 16,
+                            "endLine": 303,
+                            "endColumn": 25
+                          }
+                        },
+                        "message": {
+                          "text": "this.text : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 898,
+                            "startColumn": 23,
+                            "endLine": 898,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "getText(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 943,
+                            "startColumn": 27,
+                            "endLine": 943,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 960,
+                            "startColumn": 59,
+                            "endLine": 960,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 57,
+                            "startColumn": 45,
+                            "endLine": 57,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 61,
+                            "startColumn": 51,
+                            "endLine": 61,
+                            "endColumn": 54
+                          }
+                        },
+                        "message": {
+                          "text": "str"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 38,
+                  "startColumn": 22,
+                  "endLine": 38,
+                  "endColumn": 27
+                }
+              },
+              "message": {
+                "text": "regular expression"
+              }
+            },
+            {
+              "id": 2,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 75,
+                  "startColumn": 25,
+                  "endLine": 75,
+                  "endColumn": 30
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 3,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 38,
+                  "startColumn": 29,
+                  "endLine": 38,
+                  "endColumn": 32
+                }
+              },
+              "message": {
+                "text": "regular expression"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/29",
+            "github/alertNumber": 29
+          }
+        },
+        {
+          "ruleId": "java/polynomial-redos",
+          "rule": {
+            "id": "java/polynomial-redos",
+            "index": 38,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "message": {
+            "text": "This [regular expression](1) that depends on a [user-provided value](2) may run slow on strings starting with '' and with many repetitions of 'a'."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                  "index": 24
+                },
+                "region": {
+                  "startLine": 68,
+                  "startColumn": 57,
+                  "endLine": 68,
+                  "endColumn": 66
+                }
+              }
+            }
+          ],
+          "correlationGuid": "f9eb5f85-f753-42b1-8c6b-3bd3ef5db56e",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "6d309d833fb2b46b:1"
+          },
+          "codeFlows": [
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 25,
+                            "endLine": 75,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 323,
+                            "startColumn": 16,
+                            "endLine": 323,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 53,
+                            "endLine": 387,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "getEntry(...) : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 22,
+                            "endLine": 58,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 21,
+                            "endLine": 89,
+                            "endColumn": 27
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 13,
+                            "endLine": 89,
+                            "endColumn": 18
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> [post update] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 12,
+                            "endLine": 58,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this [Return] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 39,
+                            "endLine": 388,
+                            "endColumn": 43
+                          }
+                        },
+                        "message": {
+                          "text": "new Trackback(...) : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 389,
+                            "startColumn": 27,
+                            "endLine": 389,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "trackback : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 100,
+                            "startColumn": 27,
+                            "endLine": 100,
+                            "endColumn": 31
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1018,
+                            "startColumn": 19,
+                            "endLine": 1018,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1019,
+                            "startColumn": 16,
+                            "endLine": 1019,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 980,
+                            "startColumn": 19,
+                            "endLine": 980,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 988,
+                            "startColumn": 34,
+                            "endLine": 988,
+                            "endColumn": 38
+                          }
+                        },
+                        "message": {
+                          "text": "this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 897,
+                            "startColumn": 19,
+                            "endLine": 897,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 898,
+                            "startColumn": 23,
+                            "endLine": 898,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 302,
+                            "startColumn": 19,
+                            "endLine": 302,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 303,
+                            "startColumn": 16,
+                            "endLine": 303,
+                            "endColumn": 25
+                          }
+                        },
+                        "message": {
+                          "text": "this.text : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 898,
+                            "startColumn": 23,
+                            "endLine": 898,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "getText(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 943,
+                            "startColumn": 27,
+                            "endLine": 943,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 960,
+                            "startColumn": 59,
+                            "endLine": 960,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 57,
+                            "startColumn": 45,
+                            "endLine": 57,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 61,
+                            "startColumn": 51,
+                            "endLine": 61,
+                            "endColumn": 54
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 61,
+                            "startColumn": 31,
+                            "endLine": 61,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 32,
+                            "endLine": 66,
+                            "endColumn": 43
+                          }
+                        },
+                        "message": {
+                          "text": "pre_matcher : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 32,
+                            "endLine": 66,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 68,
+                            "startColumn": 57,
+                            "endLine": 68,
+                            "endColumn": 66
+                          }
+                        },
+                        "message": {
+                          "text": "pre_inner"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 25,
+                            "endLine": 75,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 323,
+                            "startColumn": 16,
+                            "endLine": 323,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 53,
+                            "endLine": 387,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "getEntry(...) : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 22,
+                            "endLine": 58,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 21,
+                            "endLine": 89,
+                            "endColumn": 27
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 13,
+                            "endLine": 89,
+                            "endColumn": 18
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> [post update] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 12,
+                            "endLine": 58,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this [Return] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 39,
+                            "endLine": 388,
+                            "endColumn": 43
+                          }
+                        },
+                        "message": {
+                          "text": "new Trackback(...) : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 389,
+                            "startColumn": 27,
+                            "endLine": 389,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "trackback : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 100,
+                            "startColumn": 27,
+                            "endLine": 100,
+                            "endColumn": 31
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1018,
+                            "startColumn": 19,
+                            "endLine": 1018,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1019,
+                            "startColumn": 16,
+                            "endLine": 1019,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 980,
+                            "startColumn": 19,
+                            "endLine": 980,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 996,
+                            "startColumn": 34,
+                            "endLine": 996,
+                            "endColumn": 38
+                          }
+                        },
+                        "message": {
+                          "text": "this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 904,
+                            "startColumn": 19,
+                            "endLine": 904,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 905,
+                            "startColumn": 23,
+                            "endLine": 905,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 274,
+                            "startColumn": 19,
+                            "endLine": 274,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 275,
+                            "startColumn": 16,
+                            "endLine": 275,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "summary : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 905,
+                            "startColumn": 23,
+                            "endLine": 905,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "getSummary(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 943,
+                            "startColumn": 27,
+                            "endLine": 943,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 960,
+                            "startColumn": 59,
+                            "endLine": 960,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 57,
+                            "startColumn": 45,
+                            "endLine": 57,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 61,
+                            "startColumn": 51,
+                            "endLine": 61,
+                            "endColumn": 54
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 61,
+                            "startColumn": 31,
+                            "endLine": 61,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 32,
+                            "endLine": 66,
+                            "endColumn": 43
+                          }
+                        },
+                        "message": {
+                          "text": "pre_matcher : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 32,
+                            "endLine": 66,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 68,
+                            "startColumn": 57,
+                            "endLine": 68,
+                            "endColumn": 66
+                          }
+                        },
+                        "message": {
+                          "text": "pre_inner"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 25,
+                            "endLine": 75,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 323,
+                            "startColumn": 16,
+                            "endLine": 323,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 53,
+                            "endLine": 387,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "getEntry(...) : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 22,
+                            "endLine": 58,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 21,
+                            "endLine": 89,
+                            "endColumn": 27
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 13,
+                            "endLine": 89,
+                            "endColumn": 18
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> [post update] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 12,
+                            "endLine": 58,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this [Return] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 39,
+                            "endLine": 388,
+                            "endColumn": 43
+                          }
+                        },
+                        "message": {
+                          "text": "new Trackback(...) : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 389,
+                            "startColumn": 27,
+                            "endLine": 389,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "trackback : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 100,
+                            "startColumn": 27,
+                            "endLine": 100,
+                            "endColumn": 31
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 107,
+                            "startColumn": 24,
+                            "endLine": 107,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 107,
+                            "startColumn": 24,
+                            "endLine": 107,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1018,
+                            "startColumn": 19,
+                            "endLine": 1018,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1019,
+                            "startColumn": 16,
+                            "endLine": 1019,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 980,
+                            "startColumn": 19,
+                            "endLine": 980,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 990,
+                            "startColumn": 34,
+                            "endLine": 990,
+                            "endColumn": 38
+                          }
+                        },
+                        "message": {
+                          "text": "this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 904,
+                            "startColumn": 19,
+                            "endLine": 904,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 905,
+                            "startColumn": 23,
+                            "endLine": 905,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 274,
+                            "startColumn": 19,
+                            "endLine": 274,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 275,
+                            "startColumn": 16,
+                            "endLine": 275,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "summary : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 905,
+                            "startColumn": 23,
+                            "endLine": 905,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "getSummary(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 943,
+                            "startColumn": 27,
+                            "endLine": 943,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 960,
+                            "startColumn": 59,
+                            "endLine": 960,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 57,
+                            "startColumn": 45,
+                            "endLine": 57,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 61,
+                            "startColumn": 51,
+                            "endLine": 61,
+                            "endColumn": 54
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 61,
+                            "startColumn": 31,
+                            "endLine": 61,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 32,
+                            "endLine": 66,
+                            "endColumn": 43
+                          }
+                        },
+                        "message": {
+                          "text": "pre_matcher : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 32,
+                            "endLine": 66,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 68,
+                            "startColumn": 57,
+                            "endLine": 68,
+                            "endColumn": 66
+                          }
+                        },
+                        "message": {
+                          "text": "pre_inner"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 25,
+                            "endLine": 75,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 323,
+                            "startColumn": 16,
+                            "endLine": 323,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 53,
+                            "endLine": 387,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "getEntry(...) : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 22,
+                            "endLine": 58,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 21,
+                            "endLine": 89,
+                            "endColumn": 27
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 13,
+                            "endLine": 89,
+                            "endColumn": 18
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> [post update] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 12,
+                            "endLine": 58,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this [Return] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 39,
+                            "endLine": 388,
+                            "endColumn": 43
+                          }
+                        },
+                        "message": {
+                          "text": "new Trackback(...) : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 389,
+                            "startColumn": 27,
+                            "endLine": 389,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "trackback : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 100,
+                            "startColumn": 27,
+                            "endLine": 100,
+                            "endColumn": 31
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1018,
+                            "startColumn": 19,
+                            "endLine": 1018,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1019,
+                            "startColumn": 16,
+                            "endLine": 1019,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 980,
+                            "startColumn": 19,
+                            "endLine": 980,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1007,
+                            "startColumn": 34,
+                            "endLine": 1007,
+                            "endColumn": 38
+                          }
+                        },
+                        "message": {
+                          "text": "this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 897,
+                            "startColumn": 19,
+                            "endLine": 897,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 898,
+                            "startColumn": 23,
+                            "endLine": 898,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 302,
+                            "startColumn": 19,
+                            "endLine": 302,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 303,
+                            "startColumn": 16,
+                            "endLine": 303,
+                            "endColumn": 25
+                          }
+                        },
+                        "message": {
+                          "text": "this.text : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 898,
+                            "startColumn": 23,
+                            "endLine": 898,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "getText(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 943,
+                            "startColumn": 27,
+                            "endLine": 943,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 960,
+                            "startColumn": 59,
+                            "endLine": 960,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 57,
+                            "startColumn": 45,
+                            "endLine": 57,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 61,
+                            "startColumn": 51,
+                            "endLine": 61,
+                            "endColumn": 54
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 61,
+                            "startColumn": 31,
+                            "endLine": 61,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 32,
+                            "endLine": 66,
+                            "endColumn": 43
+                          }
+                        },
+                        "message": {
+                          "text": "pre_matcher : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 32,
+                            "endLine": 66,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                            "index": 24
+                          },
+                          "region": {
+                            "startLine": 68,
+                            "startColumn": 57,
+                            "endLine": 68,
+                            "endColumn": 66
+                          }
+                        },
+                        "message": {
+                          "text": "pre_inner"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 41,
+                  "startColumn": 24,
+                  "endLine": 41,
+                  "endColumn": 29
+                }
+              },
+              "message": {
+                "text": "regular expression"
+              }
+            },
+            {
+              "id": 2,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 75,
+                  "startColumn": 25,
+                  "endLine": 75,
+                  "endColumn": 30
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 3,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/EncodePreTagsPlugin.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 41,
+                  "startColumn": 31,
+                  "endLine": 41,
+                  "endColumn": 34
+                }
+              },
+              "message": {
+                "text": "regular expression"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/30",
+            "github/alertNumber": 30
+          }
+        },
+        {
+          "ruleId": "java/polynomial-redos",
+          "rule": {
+            "id": "java/polynomial-redos",
+            "index": 38,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "message": {
+            "text": "This [regular expression](1) that depends on a [user-provided value](2) may run slow on strings starting with '] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 428,
+                            "startColumn": 16,
+                            "endLine": 428,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 31,
+                            "endLine": 127,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "tokenize(...) : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 130,
+                            "startColumn": 29,
+                            "endLine": 130,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 60,
+                            "endLine": 133,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "token"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                            "index": 4
+                          },
+                          "region": {
+                            "startLine": 45,
+                            "startColumn": 25,
+                            "endLine": 45,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "bean : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                            "index": 4
+                          },
+                          "region": {
+                            "startLine": 184,
+                            "startColumn": 16,
+                            "endLine": 184,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "bean : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                            "index": 4
+                          },
+                          "region": {
+                            "startLine": 78,
+                            "startColumn": 13,
+                            "endLine": 78,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "getBean(...) : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                            "index": 5
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 17,
+                            "endLine": 134,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                            "index": 5
+                          },
+                          "region": {
+                            "startLine": 136,
+                            "startColumn": 34,
+                            "endLine": 136,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "this.screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 142,
+                            "startColumn": 32,
+                            "endLine": 142,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 143,
+                            "startColumn": 64,
+                            "endLine": 143,
+                            "endColumn": 74
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 48,
+                            "endLine": 94,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 42,
+                            "endLine": 97,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 90,
+                            "startColumn": 35,
+                            "endLine": 90,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 91,
+                            "startColumn": 26,
+                            "endLine": 91,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 118,
+                            "startColumn": 44,
+                            "endLine": 118,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 26,
+                            "endLine": 119,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 122,
+                            "startColumn": 44,
+                            "endLine": 122,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 40,
+                            "endLine": 127,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 374,
+                            "startColumn": 42,
+                            "endLine": 374,
+                            "endColumn": 53
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 17,
+                            "endLine": 396,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "tokens [post update] : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 428,
+                            "startColumn": 16,
+                            "endLine": 428,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 31,
+                            "endLine": 127,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "tokenize(...) : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 130,
+                            "startColumn": 29,
+                            "endLine": 130,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 60,
+                            "endLine": 133,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "token"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java",
+                            "index": 6
+                          },
+                          "region": {
+                            "startLine": 68,
+                            "startColumn": 25,
+                            "endLine": 68,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "bean : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java",
+                            "index": 6
+                          },
+                          "region": {
+                            "startLine": 446,
+                            "startColumn": 16,
+                            "endLine": 446,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "bean : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java",
+                            "index": 6
+                          },
+                          "region": {
+                            "startLine": 196,
+                            "startColumn": 17,
+                            "endLine": 196,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "getBean(...) : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                            "index": 5
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 17,
+                            "endLine": 134,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                            "index": 5
+                          },
+                          "region": {
+                            "startLine": 136,
+                            "startColumn": 34,
+                            "endLine": 136,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "this.screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 142,
+                            "startColumn": 32,
+                            "endLine": 142,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 143,
+                            "startColumn": 64,
+                            "endLine": 143,
+                            "endColumn": 74
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 48,
+                            "endLine": 94,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 42,
+                            "endLine": 97,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 90,
+                            "startColumn": 35,
+                            "endLine": 90,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 91,
+                            "startColumn": 26,
+                            "endLine": 91,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 118,
+                            "startColumn": 44,
+                            "endLine": 118,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 26,
+                            "endLine": 119,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 122,
+                            "startColumn": 44,
+                            "endLine": 122,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 40,
+                            "endLine": 127,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 374,
+                            "startColumn": 42,
+                            "endLine": 374,
+                            "endColumn": 53
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 17,
+                            "endLine": 396,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "tokens [post update] : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 428,
+                            "startColumn": 16,
+                            "endLine": 428,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 31,
+                            "endLine": 127,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "tokenize(...) : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 130,
+                            "startColumn": 29,
+                            "endLine": 130,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 60,
+                            "endLine": 133,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "token"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkEdit.java",
+                            "index": 27
+                          },
+                          "region": {
+                            "startLine": 42,
+                            "startColumn": 26,
+                            "endLine": 42,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "bean : BookmarkBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkEdit.java",
+                            "index": 27
+                          },
+                          "region": {
+                            "startLine": 141,
+                            "startColumn": 16,
+                            "endLine": 141,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "bean : BookmarkBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkEdit.java",
+                            "index": 27
+                          },
+                          "region": {
+                            "startLine": 103,
+                            "startColumn": 17,
+                            "endLine": 103,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "getBean(...) : BookmarkBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkBean.java",
+                            "index": 28
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 17,
+                            "endLine": 86,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : BookmarkBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkBean.java",
+                            "index": 28
+                          },
+                          "region": {
+                            "startLine": 87,
+                            "startColumn": 28,
+                            "endLine": 87,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "this.name : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogBookmark.java",
+                            "index": 29
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 25,
+                            "endLine": 97,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "name : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogBookmark.java",
+                            "index": 29
+                          },
+                          "region": {
+                            "startLine": 98,
+                            "startColumn": 58,
+                            "endLine": 98,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "name : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 48,
+                            "endLine": 94,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 42,
+                            "endLine": 97,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 90,
+                            "startColumn": 35,
+                            "endLine": 90,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 91,
+                            "startColumn": 26,
+                            "endLine": 91,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 118,
+                            "startColumn": 44,
+                            "endLine": 118,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 26,
+                            "endLine": 119,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 122,
+                            "startColumn": 44,
+                            "endLine": 122,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 40,
+                            "endLine": 127,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 374,
+                            "startColumn": 42,
+                            "endLine": 374,
+                            "endColumn": 53
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 17,
+                            "endLine": 396,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "tokens [post update] : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 428,
+                            "startColumn": 16,
+                            "endLine": 428,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 31,
+                            "endLine": 127,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "tokenize(...) : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 130,
+                            "startColumn": 29,
+                            "endLine": 130,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 60,
+                            "endLine": 133,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "token"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 60,
+                  "startColumn": 88,
+                  "endLine": 60,
+                  "endColumn": 90
+                }
+              },
+              "message": {
+                "text": "regular expression"
+              }
+            },
+            {
+              "id": 2,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 54,
+                  "startColumn": 28,
+                  "endLine": 54,
+                  "endColumn": 32
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 3,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 45,
+                  "startColumn": 25,
+                  "endLine": 45,
+                  "endColumn": 29
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 4,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 68,
+                  "startColumn": 25,
+                  "endLine": 68,
+                  "endColumn": 29
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 5,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 42,
+                  "startColumn": 26,
+                  "endLine": 42,
+                  "endColumn": 30
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 6,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 75,
+                  "startColumn": 25,
+                  "endLine": 75,
+                  "endColumn": 30
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 7,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/FolderEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 46,
+                  "startColumn": 24,
+                  "endLine": 46,
+                  "endColumn": 28
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/31",
+            "github/alertNumber": 31
+          }
+        },
+        {
+          "ruleId": "java/polynomial-redos",
+          "rule": {
+            "id": "java/polynomial-redos",
+            "index": 38,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "message": {
+            "text": "This [regular expression](1) that depends on a [user-provided value](2) may run slow on strings with many repetitions of ' '.\nThis [regular expression](1) that depends on a [user-provided value](3) may run slow on strings with many repetitions of ' '.\nThis [regular expression](1) that depends on a [user-provided value](4) may run slow on strings with many repetitions of ' '.\nThis [regular expression](1) that depends on a [user-provided value](5) may run slow on strings with many repetitions of ' '.\nThis [regular expression](1) that depends on a [user-provided value](6) may run slow on strings with many repetitions of ' '.\nThis [regular expression](1) that depends on a [user-provided value](7) may run slow on strings with many repetitions of ' '."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                  "index": 25
+                },
+                "region": {
+                  "startLine": 179,
+                  "startColumn": 68,
+                  "endLine": 179,
+                  "endColumn": 77
+                }
+              }
+            }
+          ],
+          "correlationGuid": "0068dc73-44a6-456e-83a7-5fe04b5899e9",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "f7eba83359081407:1"
+          },
+          "codeFlows": [
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                            "index": 3
+                          },
+                          "region": {
+                            "startLine": 54,
+                            "startColumn": 28,
+                            "endLine": 54,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "bean : CreateUserBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                            "index": 3
+                          },
+                          "region": {
+                            "startLine": 263,
+                            "startColumn": 16,
+                            "endLine": 263,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "bean : CreateUserBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                            "index": 3
+                          },
+                          "region": {
+                            "startLine": 143,
+                            "startColumn": 13,
+                            "endLine": 143,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "getBean(...) : CreateUserBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/CreateUserBean.java",
+                            "index": 26
+                          },
+                          "region": {
+                            "startLine": 154,
+                            "startColumn": 17,
+                            "endLine": 154,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : CreateUserBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/CreateUserBean.java",
+                            "index": 26
+                          },
+                          "region": {
+                            "startLine": 156,
+                            "startColumn": 34,
+                            "endLine": 156,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "this.screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 142,
+                            "startColumn": 32,
+                            "endLine": 142,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 143,
+                            "startColumn": 64,
+                            "endLine": 143,
+                            "endColumn": 74
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 48,
+                            "endLine": 94,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 42,
+                            "endLine": 97,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 90,
+                            "startColumn": 35,
+                            "endLine": 90,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 91,
+                            "startColumn": 26,
+                            "endLine": 91,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 118,
+                            "startColumn": 44,
+                            "endLine": 118,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 26,
+                            "endLine": 119,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 122,
+                            "startColumn": 44,
+                            "endLine": 122,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 40,
+                            "endLine": 127,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 374,
+                            "startColumn": 42,
+                            "endLine": 374,
+                            "endColumn": 53
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 17,
+                            "endLine": 396,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "tokens [post update] : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 428,
+                            "startColumn": 16,
+                            "endLine": 428,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 31,
+                            "endLine": 127,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "tokenize(...) : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 130,
+                            "startColumn": 29,
+                            "endLine": 130,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 60,
+                            "endLine": 133,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "token : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 36,
+                            "endLine": 133,
+                            "endColumn": 66
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 162,
+                            "startColumn": 40,
+                            "endLine": 162,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "startMatcher : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 162,
+                            "startColumn": 40,
+                            "endLine": 162,
+                            "endColumn": 61
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 179,
+                            "startColumn": 68,
+                            "endLine": 179,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "tokenBody"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                            "index": 4
+                          },
+                          "region": {
+                            "startLine": 45,
+                            "startColumn": 25,
+                            "endLine": 45,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "bean : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                            "index": 4
+                          },
+                          "region": {
+                            "startLine": 184,
+                            "startColumn": 16,
+                            "endLine": 184,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "bean : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                            "index": 4
+                          },
+                          "region": {
+                            "startLine": 78,
+                            "startColumn": 13,
+                            "endLine": 78,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "getBean(...) : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                            "index": 5
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 17,
+                            "endLine": 134,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                            "index": 5
+                          },
+                          "region": {
+                            "startLine": 136,
+                            "startColumn": 34,
+                            "endLine": 136,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "this.screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 142,
+                            "startColumn": 32,
+                            "endLine": 142,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 143,
+                            "startColumn": 64,
+                            "endLine": 143,
+                            "endColumn": 74
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 48,
+                            "endLine": 94,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 42,
+                            "endLine": 97,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 90,
+                            "startColumn": 35,
+                            "endLine": 90,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 91,
+                            "startColumn": 26,
+                            "endLine": 91,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 118,
+                            "startColumn": 44,
+                            "endLine": 118,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 26,
+                            "endLine": 119,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 122,
+                            "startColumn": 44,
+                            "endLine": 122,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 40,
+                            "endLine": 127,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 374,
+                            "startColumn": 42,
+                            "endLine": 374,
+                            "endColumn": 53
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 17,
+                            "endLine": 396,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "tokens [post update] : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 428,
+                            "startColumn": 16,
+                            "endLine": 428,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 31,
+                            "endLine": 127,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "tokenize(...) : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 130,
+                            "startColumn": 29,
+                            "endLine": 130,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 60,
+                            "endLine": 133,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "token : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 36,
+                            "endLine": 133,
+                            "endColumn": 66
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 162,
+                            "startColumn": 40,
+                            "endLine": 162,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "startMatcher : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 162,
+                            "startColumn": 40,
+                            "endLine": 162,
+                            "endColumn": 61
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 179,
+                            "startColumn": 68,
+                            "endLine": 179,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "tokenBody"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java",
+                            "index": 6
+                          },
+                          "region": {
+                            "startLine": 68,
+                            "startColumn": 25,
+                            "endLine": 68,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "bean : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java",
+                            "index": 6
+                          },
+                          "region": {
+                            "startLine": 446,
+                            "startColumn": 16,
+                            "endLine": 446,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "bean : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java",
+                            "index": 6
+                          },
+                          "region": {
+                            "startLine": 196,
+                            "startColumn": 17,
+                            "endLine": 196,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "getBean(...) : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                            "index": 5
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 17,
+                            "endLine": 134,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                            "index": 5
+                          },
+                          "region": {
+                            "startLine": 136,
+                            "startColumn": 34,
+                            "endLine": 136,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "this.screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 142,
+                            "startColumn": 32,
+                            "endLine": 142,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 143,
+                            "startColumn": 64,
+                            "endLine": 143,
+                            "endColumn": 74
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 48,
+                            "endLine": 94,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 42,
+                            "endLine": 97,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 90,
+                            "startColumn": 35,
+                            "endLine": 90,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 91,
+                            "startColumn": 26,
+                            "endLine": 91,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 118,
+                            "startColumn": 44,
+                            "endLine": 118,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 26,
+                            "endLine": 119,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 122,
+                            "startColumn": 44,
+                            "endLine": 122,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 40,
+                            "endLine": 127,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 374,
+                            "startColumn": 42,
+                            "endLine": 374,
+                            "endColumn": 53
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 17,
+                            "endLine": 396,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "tokens [post update] : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 428,
+                            "startColumn": 16,
+                            "endLine": 428,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 31,
+                            "endLine": 127,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "tokenize(...) : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 130,
+                            "startColumn": 29,
+                            "endLine": 130,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 60,
+                            "endLine": 133,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "token : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 36,
+                            "endLine": 133,
+                            "endColumn": 66
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 162,
+                            "startColumn": 40,
+                            "endLine": 162,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "startMatcher : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 162,
+                            "startColumn": 40,
+                            "endLine": 162,
+                            "endColumn": 61
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 179,
+                            "startColumn": 68,
+                            "endLine": 179,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "tokenBody"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkEdit.java",
+                            "index": 27
+                          },
+                          "region": {
+                            "startLine": 42,
+                            "startColumn": 26,
+                            "endLine": 42,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "bean : BookmarkBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkEdit.java",
+                            "index": 27
+                          },
+                          "region": {
+                            "startLine": 141,
+                            "startColumn": 16,
+                            "endLine": 141,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "bean : BookmarkBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkEdit.java",
+                            "index": 27
+                          },
+                          "region": {
+                            "startLine": 103,
+                            "startColumn": 17,
+                            "endLine": 103,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "getBean(...) : BookmarkBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkBean.java",
+                            "index": 28
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 17,
+                            "endLine": 86,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : BookmarkBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkBean.java",
+                            "index": 28
+                          },
+                          "region": {
+                            "startLine": 87,
+                            "startColumn": 28,
+                            "endLine": 87,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "this.name : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogBookmark.java",
+                            "index": 29
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 25,
+                            "endLine": 97,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "name : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogBookmark.java",
+                            "index": 29
+                          },
+                          "region": {
+                            "startLine": 98,
+                            "startColumn": 58,
+                            "endLine": 98,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "name : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 48,
+                            "endLine": 94,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 42,
+                            "endLine": 97,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 90,
+                            "startColumn": 35,
+                            "endLine": 90,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 91,
+                            "startColumn": 26,
+                            "endLine": 91,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 118,
+                            "startColumn": 44,
+                            "endLine": 118,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 26,
+                            "endLine": 119,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 122,
+                            "startColumn": 44,
+                            "endLine": 122,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 40,
+                            "endLine": 127,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 374,
+                            "startColumn": 42,
+                            "endLine": 374,
+                            "endColumn": 53
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 17,
+                            "endLine": 396,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "tokens [post update] : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 428,
+                            "startColumn": 16,
+                            "endLine": 428,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 31,
+                            "endLine": 127,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "tokenize(...) : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 130,
+                            "startColumn": 29,
+                            "endLine": 130,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 60,
+                            "endLine": 133,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "token : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 36,
+                            "endLine": 133,
+                            "endColumn": 66
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 162,
+                            "startColumn": 40,
+                            "endLine": 162,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "startMatcher : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 162,
+                            "startColumn": 40,
+                            "endLine": 162,
+                            "endColumn": 61
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 179,
+                            "startColumn": 68,
+                            "endLine": 179,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "tokenBody"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 66,
+                  "startColumn": 77,
+                  "endLine": 66,
+                  "endColumn": 81
+                }
+              },
+              "message": {
+                "text": "regular expression"
+              }
+            },
+            {
+              "id": 2,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 54,
+                  "startColumn": 28,
+                  "endLine": 54,
+                  "endColumn": 32
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 3,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 45,
+                  "startColumn": 25,
+                  "endLine": 45,
+                  "endColumn": 29
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 4,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 68,
+                  "startColumn": 25,
+                  "endLine": 68,
+                  "endColumn": 29
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 5,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 42,
+                  "startColumn": 26,
+                  "endLine": 42,
+                  "endColumn": 30
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 6,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 75,
+                  "startColumn": 25,
+                  "endLine": 75,
+                  "endColumn": 30
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 7,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/FolderEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 46,
+                  "startColumn": 24,
+                  "endLine": 46,
+                  "endColumn": 28
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/32",
+            "github/alertNumber": 32
+          }
+        },
+        {
+          "ruleId": "java/polynomial-redos",
+          "rule": {
+            "id": "java/polynomial-redos",
+            "index": 38,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "message": {
+            "text": "This [regular expression](1) that depends on a [user-provided value](2) may run slow on strings with many repetitions of '!'.\nThis [regular expression](1) that depends on a [user-provided value](3) may run slow on strings with many repetitions of '!'.\nThis [regular expression](1) that depends on a [user-provided value](4) may run slow on strings with many repetitions of '!'.\nThis [regular expression](1) that depends on a [user-provided value](5) may run slow on strings with many repetitions of '!'.\nThis [regular expression](1) that depends on a [user-provided value](6) may run slow on strings with many repetitions of '!'.\nThis [regular expression](1) that depends on a [user-provided value](7) may run slow on strings with many repetitions of '!'."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                  "index": 25
+                },
+                "region": {
+                  "startLine": 235,
+                  "startColumn": 67,
+                  "endLine": 235,
+                  "endColumn": 70
+                }
+              }
+            }
+          ],
+          "correlationGuid": "b4530215-fde8-4f7d-8718-57bc4d310a08",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "f77ea2ce3b67490a:1"
+          },
+          "codeFlows": [
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                            "index": 3
+                          },
+                          "region": {
+                            "startLine": 54,
+                            "startColumn": 28,
+                            "endLine": 54,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "bean : CreateUserBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                            "index": 3
+                          },
+                          "region": {
+                            "startLine": 263,
+                            "startColumn": 16,
+                            "endLine": 263,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "bean : CreateUserBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                            "index": 3
+                          },
+                          "region": {
+                            "startLine": 143,
+                            "startColumn": 13,
+                            "endLine": 143,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "getBean(...) : CreateUserBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/CreateUserBean.java",
+                            "index": 26
+                          },
+                          "region": {
+                            "startLine": 154,
+                            "startColumn": 17,
+                            "endLine": 154,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : CreateUserBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/CreateUserBean.java",
+                            "index": 26
+                          },
+                          "region": {
+                            "startLine": 156,
+                            "startColumn": 34,
+                            "endLine": 156,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "this.screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 142,
+                            "startColumn": 32,
+                            "endLine": 142,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 143,
+                            "startColumn": 64,
+                            "endLine": 143,
+                            "endColumn": 74
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 48,
+                            "endLine": 94,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 42,
+                            "endLine": 97,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 90,
+                            "startColumn": 35,
+                            "endLine": 90,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 91,
+                            "startColumn": 26,
+                            "endLine": 91,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 118,
+                            "startColumn": 44,
+                            "endLine": 118,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 26,
+                            "endLine": 119,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 122,
+                            "startColumn": 44,
+                            "endLine": 122,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 40,
+                            "endLine": 127,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 374,
+                            "startColumn": 42,
+                            "endLine": 374,
+                            "endColumn": 53
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 17,
+                            "endLine": 396,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "tokens [post update] : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 428,
+                            "startColumn": 16,
+                            "endLine": 428,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 31,
+                            "endLine": 127,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "tokenize(...) : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 130,
+                            "startColumn": 29,
+                            "endLine": 130,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 60,
+                            "endLine": 133,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "token : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 36,
+                            "endLine": 133,
+                            "endColumn": 66
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 162,
+                            "startColumn": 40,
+                            "endLine": 162,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "startMatcher : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 162,
+                            "startColumn": 40,
+                            "endLine": 162,
+                            "endColumn": 61
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 179,
+                            "startColumn": 68,
+                            "endLine": 179,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "tokenBody : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 179,
+                            "startColumn": 42,
+                            "endLine": 179,
+                            "endColumn": 78
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 186,
+                            "startColumn": 38,
+                            "endLine": 186,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "attributes : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 186,
+                            "startColumn": 38,
+                            "endLine": 186,
+                            "endColumn": 57
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 235,
+                            "startColumn": 67,
+                            "endLine": 235,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "val"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                            "index": 4
+                          },
+                          "region": {
+                            "startLine": 45,
+                            "startColumn": 25,
+                            "endLine": 45,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "bean : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                            "index": 4
+                          },
+                          "region": {
+                            "startLine": 184,
+                            "startColumn": 16,
+                            "endLine": 184,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "bean : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                            "index": 4
+                          },
+                          "region": {
+                            "startLine": 78,
+                            "startColumn": 13,
+                            "endLine": 78,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "getBean(...) : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                            "index": 5
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 17,
+                            "endLine": 134,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                            "index": 5
+                          },
+                          "region": {
+                            "startLine": 136,
+                            "startColumn": 34,
+                            "endLine": 136,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "this.screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 142,
+                            "startColumn": 32,
+                            "endLine": 142,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 143,
+                            "startColumn": 64,
+                            "endLine": 143,
+                            "endColumn": 74
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 48,
+                            "endLine": 94,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 42,
+                            "endLine": 97,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 90,
+                            "startColumn": 35,
+                            "endLine": 90,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 91,
+                            "startColumn": 26,
+                            "endLine": 91,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 118,
+                            "startColumn": 44,
+                            "endLine": 118,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 26,
+                            "endLine": 119,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 122,
+                            "startColumn": 44,
+                            "endLine": 122,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 40,
+                            "endLine": 127,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 374,
+                            "startColumn": 42,
+                            "endLine": 374,
+                            "endColumn": 53
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 17,
+                            "endLine": 396,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "tokens [post update] : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 428,
+                            "startColumn": 16,
+                            "endLine": 428,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 31,
+                            "endLine": 127,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "tokenize(...) : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 130,
+                            "startColumn": 29,
+                            "endLine": 130,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 60,
+                            "endLine": 133,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "token : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 36,
+                            "endLine": 133,
+                            "endColumn": 66
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 162,
+                            "startColumn": 40,
+                            "endLine": 162,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "startMatcher : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 162,
+                            "startColumn": 40,
+                            "endLine": 162,
+                            "endColumn": 61
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 179,
+                            "startColumn": 68,
+                            "endLine": 179,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "tokenBody : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 179,
+                            "startColumn": 42,
+                            "endLine": 179,
+                            "endColumn": 78
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 186,
+                            "startColumn": 38,
+                            "endLine": 186,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "attributes : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 186,
+                            "startColumn": 38,
+                            "endLine": 186,
+                            "endColumn": 57
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 235,
+                            "startColumn": 67,
+                            "endLine": 235,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "val"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java",
+                            "index": 6
+                          },
+                          "region": {
+                            "startLine": 68,
+                            "startColumn": 25,
+                            "endLine": 68,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "bean : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java",
+                            "index": 6
+                          },
+                          "region": {
+                            "startLine": 446,
+                            "startColumn": 16,
+                            "endLine": 446,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "bean : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java",
+                            "index": 6
+                          },
+                          "region": {
+                            "startLine": 196,
+                            "startColumn": 17,
+                            "endLine": 196,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "getBean(...) : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                            "index": 5
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 17,
+                            "endLine": 134,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                            "index": 5
+                          },
+                          "region": {
+                            "startLine": 136,
+                            "startColumn": 34,
+                            "endLine": 136,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "this.screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 142,
+                            "startColumn": 32,
+                            "endLine": 142,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 143,
+                            "startColumn": 64,
+                            "endLine": 143,
+                            "endColumn": 74
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 48,
+                            "endLine": 94,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 42,
+                            "endLine": 97,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 90,
+                            "startColumn": 35,
+                            "endLine": 90,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 91,
+                            "startColumn": 26,
+                            "endLine": 91,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 118,
+                            "startColumn": 44,
+                            "endLine": 118,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 26,
+                            "endLine": 119,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 122,
+                            "startColumn": 44,
+                            "endLine": 122,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 40,
+                            "endLine": 127,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 374,
+                            "startColumn": 42,
+                            "endLine": 374,
+                            "endColumn": 53
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 17,
+                            "endLine": 396,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "tokens [post update] : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 428,
+                            "startColumn": 16,
+                            "endLine": 428,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 31,
+                            "endLine": 127,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "tokenize(...) : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 130,
+                            "startColumn": 29,
+                            "endLine": 130,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 60,
+                            "endLine": 133,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "token : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 36,
+                            "endLine": 133,
+                            "endColumn": 66
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 162,
+                            "startColumn": 40,
+                            "endLine": 162,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "startMatcher : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 162,
+                            "startColumn": 40,
+                            "endLine": 162,
+                            "endColumn": 61
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 179,
+                            "startColumn": 68,
+                            "endLine": 179,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "tokenBody : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 179,
+                            "startColumn": 42,
+                            "endLine": 179,
+                            "endColumn": 78
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 186,
+                            "startColumn": 38,
+                            "endLine": 186,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "attributes : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 186,
+                            "startColumn": 38,
+                            "endLine": 186,
+                            "endColumn": 57
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 235,
+                            "startColumn": 67,
+                            "endLine": 235,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "val"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkEdit.java",
+                            "index": 27
+                          },
+                          "region": {
+                            "startLine": 42,
+                            "startColumn": 26,
+                            "endLine": 42,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "bean : BookmarkBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkEdit.java",
+                            "index": 27
+                          },
+                          "region": {
+                            "startLine": 141,
+                            "startColumn": 16,
+                            "endLine": 141,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "bean : BookmarkBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkEdit.java",
+                            "index": 27
+                          },
+                          "region": {
+                            "startLine": 103,
+                            "startColumn": 17,
+                            "endLine": 103,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "getBean(...) : BookmarkBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkBean.java",
+                            "index": 28
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 17,
+                            "endLine": 86,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : BookmarkBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkBean.java",
+                            "index": 28
+                          },
+                          "region": {
+                            "startLine": 87,
+                            "startColumn": 28,
+                            "endLine": 87,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "this.name : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogBookmark.java",
+                            "index": 29
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 25,
+                            "endLine": 97,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "name : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogBookmark.java",
+                            "index": 29
+                          },
+                          "region": {
+                            "startLine": 98,
+                            "startColumn": 58,
+                            "endLine": 98,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "name : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 48,
+                            "endLine": 94,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 42,
+                            "endLine": 97,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 90,
+                            "startColumn": 35,
+                            "endLine": 90,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 91,
+                            "startColumn": 26,
+                            "endLine": 91,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 118,
+                            "startColumn": 44,
+                            "endLine": 118,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 26,
+                            "endLine": 119,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 122,
+                            "startColumn": 44,
+                            "endLine": 122,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 40,
+                            "endLine": 127,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 374,
+                            "startColumn": 42,
+                            "endLine": 374,
+                            "endColumn": 53
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 17,
+                            "endLine": 396,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "tokens [post update] : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 428,
+                            "startColumn": 16,
+                            "endLine": 428,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 31,
+                            "endLine": 127,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "tokenize(...) : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 130,
+                            "startColumn": 29,
+                            "endLine": 130,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 60,
+                            "endLine": 133,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "token : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 36,
+                            "endLine": 133,
+                            "endColumn": 66
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 162,
+                            "startColumn": 40,
+                            "endLine": 162,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "startMatcher : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 162,
+                            "startColumn": 40,
+                            "endLine": 162,
+                            "endColumn": 61
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 179,
+                            "startColumn": 68,
+                            "endLine": 179,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "tokenBody : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 179,
+                            "startColumn": 42,
+                            "endLine": 179,
+                            "endColumn": 78
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 186,
+                            "startColumn": 38,
+                            "endLine": 186,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "attributes : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 186,
+                            "startColumn": 38,
+                            "endLine": 186,
+                            "endColumn": 57
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 235,
+                            "startColumn": 67,
+                            "endLine": 235,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "val"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 68,
+                  "startColumn": 67,
+                  "endLine": 68,
+                  "endColumn": 76
+                }
+              },
+              "message": {
+                "text": "regular expression"
+              }
+            },
+            {
+              "id": 2,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 54,
+                  "startColumn": 28,
+                  "endLine": 54,
+                  "endColumn": 32
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 3,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 45,
+                  "startColumn": 25,
+                  "endLine": 45,
+                  "endColumn": 29
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 4,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 68,
+                  "startColumn": 25,
+                  "endLine": 68,
+                  "endColumn": 29
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 5,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 42,
+                  "startColumn": 26,
+                  "endLine": 42,
+                  "endColumn": 30
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 6,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 75,
+                  "startColumn": 25,
+                  "endLine": 75,
+                  "endColumn": 30
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 7,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/FolderEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 46,
+                  "startColumn": 24,
+                  "endLine": 46,
+                  "endColumn": 28
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/33",
+            "github/alertNumber": 33
+          }
+        },
+        {
+          "ruleId": "java/polynomial-redos",
+          "rule": {
+            "id": "java/polynomial-redos",
+            "index": 38,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "message": {
+            "text": "This [regular expression](1) that depends on a [user-provided value](2) may run slow on strings with many repetitions of 'a'.\nThis [regular expression](3) that depends on a [user-provided value](2) may run slow on strings starting with 'burl(\"' and with many repetitions of 'burl(\"('.\nThis [regular expression](1) that depends on a [user-provided value](4) may run slow on strings with many repetitions of 'a'.\nThis [regular expression](3) that depends on a [user-provided value](4) may run slow on strings starting with 'burl(\"' and with many repetitions of 'burl(\"('.\nThis [regular expression](1) that depends on a [user-provided value](5) may run slow on strings with many repetitions of 'a'.\nThis [regular expression](3) that depends on a [user-provided value](5) may run slow on strings starting with 'burl(\"' and with many repetitions of 'burl(\"('.\nThis [regular expression](1) that depends on a [user-provided value](6) may run slow on strings with many repetitions of 'a'.\nThis [regular expression](3) that depends on a [user-provided value](6) may run slow on strings starting with 'burl(\"' and with many repetitions of 'burl(\"('.\nThis [regular expression](1) that depends on a [user-provided value](7) may run slow on strings with many repetitions of 'a'.\nThis [regular expression](3) that depends on a [user-provided value](7) may run slow on strings starting with 'burl(\"' and with many repetitions of 'burl(\"('.\nThis [regular expression](1) that depends on a [user-provided value](8) may run slow on strings with many repetitions of 'a'.\nThis [regular expression](3) that depends on a [user-provided value](8) may run slow on strings starting with 'burl(\"' and with many repetitions of 'burl(\"('."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                  "index": 25
+                },
+                "region": {
+                  "startLine": 249,
+                  "startColumn": 83,
+                  "endLine": 249,
+                  "endColumn": 93
+                }
+              }
+            }
+          ],
+          "correlationGuid": "ebd7d4fc-18fe-4894-ad98-05b92939b9a6",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "d2f751956bb0d070:1"
+          },
+          "codeFlows": [
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                            "index": 3
+                          },
+                          "region": {
+                            "startLine": 54,
+                            "startColumn": 28,
+                            "endLine": 54,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "bean : CreateUserBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                            "index": 3
+                          },
+                          "region": {
+                            "startLine": 263,
+                            "startColumn": 16,
+                            "endLine": 263,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "bean : CreateUserBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                            "index": 3
+                          },
+                          "region": {
+                            "startLine": 143,
+                            "startColumn": 13,
+                            "endLine": 143,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "getBean(...) : CreateUserBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/CreateUserBean.java",
+                            "index": 26
+                          },
+                          "region": {
+                            "startLine": 154,
+                            "startColumn": 17,
+                            "endLine": 154,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : CreateUserBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/CreateUserBean.java",
+                            "index": 26
+                          },
+                          "region": {
+                            "startLine": 156,
+                            "startColumn": 34,
+                            "endLine": 156,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "this.screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 142,
+                            "startColumn": 32,
+                            "endLine": 142,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 143,
+                            "startColumn": 64,
+                            "endLine": 143,
+                            "endColumn": 74
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 48,
+                            "endLine": 94,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 42,
+                            "endLine": 97,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 90,
+                            "startColumn": 35,
+                            "endLine": 90,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 91,
+                            "startColumn": 26,
+                            "endLine": 91,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 118,
+                            "startColumn": 44,
+                            "endLine": 118,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 26,
+                            "endLine": 119,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 122,
+                            "startColumn": 44,
+                            "endLine": 122,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 40,
+                            "endLine": 127,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 374,
+                            "startColumn": 42,
+                            "endLine": 374,
+                            "endColumn": 53
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 17,
+                            "endLine": 396,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "tokens [post update] : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 428,
+                            "startColumn": 16,
+                            "endLine": 428,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 31,
+                            "endLine": 127,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "tokenize(...) : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 130,
+                            "startColumn": 29,
+                            "endLine": 130,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 60,
+                            "endLine": 133,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "token : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 36,
+                            "endLine": 133,
+                            "endColumn": 66
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 162,
+                            "startColumn": 40,
+                            "endLine": 162,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "startMatcher : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 162,
+                            "startColumn": 40,
+                            "endLine": 162,
+                            "endColumn": 61
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 179,
+                            "startColumn": 68,
+                            "endLine": 179,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "tokenBody : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 179,
+                            "startColumn": 42,
+                            "endLine": 179,
+                            "endColumn": 78
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 186,
+                            "startColumn": 38,
+                            "endLine": 186,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "attributes : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 186,
+                            "startColumn": 38,
+                            "endLine": 186,
+                            "endColumn": 57
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 235,
+                            "startColumn": 67,
+                            "endLine": 235,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "val : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 235,
+                            "startColumn": 46,
+                            "endLine": 235,
+                            "endColumn": 71
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 240,
+                            "startColumn": 53,
+                            "endLine": 240,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "styles : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 240,
+                            "startColumn": 53,
+                            "endLine": 240,
+                            "endColumn": 68
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 249,
+                            "startColumn": 83,
+                            "endLine": 249,
+                            "endColumn": 93
+                          }
+                        },
+                        "message": {
+                          "text": "styleValue"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                            "index": 3
+                          },
+                          "region": {
+                            "startLine": 54,
+                            "startColumn": 28,
+                            "endLine": 54,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "bean : CreateUserBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                            "index": 3
+                          },
+                          "region": {
+                            "startLine": 263,
+                            "startColumn": 16,
+                            "endLine": 263,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "bean : CreateUserBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                            "index": 3
+                          },
+                          "region": {
+                            "startLine": 174,
+                            "startColumn": 38,
+                            "endLine": 174,
+                            "endColumn": 47
+                          }
+                        },
+                        "message": {
+                          "text": "getBean(...) : CreateUserBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/CreateUserBean.java",
+                            "index": 26
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 19,
+                            "endLine": 66,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : CreateUserBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/CreateUserBean.java",
+                            "index": 26
+                          },
+                          "region": {
+                            "startLine": 67,
+                            "startColumn": 16,
+                            "endLine": 67,
+                            "endColumn": 24
+                          }
+                        },
+                        "message": {
+                          "text": "userName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                            "index": 3
+                          },
+                          "region": {
+                            "startLine": 174,
+                            "startColumn": 38,
+                            "endLine": 174,
+                            "endColumn": 61
+                          }
+                        },
+                        "message": {
+                          "text": "getUserName(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 30,
+                            "endLine": 94,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "userName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 95,
+                            "startColumn": 62,
+                            "endLine": 95,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "userName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 48,
+                            "endLine": 94,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 42,
+                            "endLine": 97,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 90,
+                            "startColumn": 35,
+                            "endLine": 90,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 91,
+                            "startColumn": 26,
+                            "endLine": 91,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 118,
+                            "startColumn": 44,
+                            "endLine": 118,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 26,
+                            "endLine": 119,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 122,
+                            "startColumn": 44,
+                            "endLine": 122,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 40,
+                            "endLine": 127,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 374,
+                            "startColumn": 42,
+                            "endLine": 374,
+                            "endColumn": 53
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 413,
+                            "startColumn": 28,
+                            "endLine": 413,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 413,
+                            "startColumn": 28,
+                            "endLine": 413,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 413,
+                            "startColumn": 17,
+                            "endLine": 413,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "tokens [post update] : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 428,
+                            "startColumn": 16,
+                            "endLine": 428,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 31,
+                            "endLine": 127,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "tokenize(...) : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 130,
+                            "startColumn": 29,
+                            "endLine": 130,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 60,
+                            "endLine": 133,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "token : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 36,
+                            "endLine": 133,
+                            "endColumn": 66
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 162,
+                            "startColumn": 40,
+                            "endLine": 162,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "startMatcher : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 162,
+                            "startColumn": 40,
+                            "endLine": 162,
+                            "endColumn": 61
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 179,
+                            "startColumn": 68,
+                            "endLine": 179,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "tokenBody : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 179,
+                            "startColumn": 42,
+                            "endLine": 179,
+                            "endColumn": 78
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 186,
+                            "startColumn": 38,
+                            "endLine": 186,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "attributes : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 186,
+                            "startColumn": 38,
+                            "endLine": 186,
+                            "endColumn": 57
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 235,
+                            "startColumn": 67,
+                            "endLine": 235,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "val : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 235,
+                            "startColumn": 46,
+                            "endLine": 235,
+                            "endColumn": 71
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 240,
+                            "startColumn": 53,
+                            "endLine": 240,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "styles : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 240,
+                            "startColumn": 53,
+                            "endLine": 240,
+                            "endColumn": 68
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 249,
+                            "startColumn": 83,
+                            "endLine": 249,
+                            "endColumn": 93
+                          }
+                        },
+                        "message": {
+                          "text": "styleValue"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                            "index": 4
+                          },
+                          "region": {
+                            "startLine": 45,
+                            "startColumn": 25,
+                            "endLine": 45,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "bean : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                            "index": 4
+                          },
+                          "region": {
+                            "startLine": 184,
+                            "startColumn": 16,
+                            "endLine": 184,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "bean : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                            "index": 4
+                          },
+                          "region": {
+                            "startLine": 78,
+                            "startColumn": 13,
+                            "endLine": 78,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "getBean(...) : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                            "index": 5
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 17,
+                            "endLine": 134,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                            "index": 5
+                          },
+                          "region": {
+                            "startLine": 136,
+                            "startColumn": 34,
+                            "endLine": 136,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "this.screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 142,
+                            "startColumn": 32,
+                            "endLine": 142,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 143,
+                            "startColumn": 64,
+                            "endLine": 143,
+                            "endColumn": 74
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 48,
+                            "endLine": 94,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 42,
+                            "endLine": 97,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 90,
+                            "startColumn": 35,
+                            "endLine": 90,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 91,
+                            "startColumn": 26,
+                            "endLine": 91,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 118,
+                            "startColumn": 44,
+                            "endLine": 118,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 26,
+                            "endLine": 119,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 122,
+                            "startColumn": 44,
+                            "endLine": 122,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 40,
+                            "endLine": 127,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 374,
+                            "startColumn": 42,
+                            "endLine": 374,
+                            "endColumn": 53
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 17,
+                            "endLine": 396,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "tokens [post update] : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 428,
+                            "startColumn": 16,
+                            "endLine": 428,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 31,
+                            "endLine": 127,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "tokenize(...) : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 130,
+                            "startColumn": 29,
+                            "endLine": 130,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 60,
+                            "endLine": 133,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "token : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 36,
+                            "endLine": 133,
+                            "endColumn": 66
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 162,
+                            "startColumn": 40,
+                            "endLine": 162,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "startMatcher : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 162,
+                            "startColumn": 40,
+                            "endLine": 162,
+                            "endColumn": 61
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 179,
+                            "startColumn": 68,
+                            "endLine": 179,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "tokenBody : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 179,
+                            "startColumn": 42,
+                            "endLine": 179,
+                            "endColumn": 78
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 186,
+                            "startColumn": 38,
+                            "endLine": 186,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "attributes : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 186,
+                            "startColumn": 38,
+                            "endLine": 186,
+                            "endColumn": 57
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 235,
+                            "startColumn": 67,
+                            "endLine": 235,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "val : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 235,
+                            "startColumn": 46,
+                            "endLine": 235,
+                            "endColumn": 71
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 240,
+                            "startColumn": 53,
+                            "endLine": 240,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "styles : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 240,
+                            "startColumn": 53,
+                            "endLine": 240,
+                            "endColumn": 68
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 249,
+                            "startColumn": 83,
+                            "endLine": 249,
+                            "endColumn": 93
+                          }
+                        },
+                        "message": {
+                          "text": "styleValue"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                            "index": 4
+                          },
+                          "region": {
+                            "startLine": 45,
+                            "startColumn": 25,
+                            "endLine": 45,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "bean : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                            "index": 4
+                          },
+                          "region": {
+                            "startLine": 184,
+                            "startColumn": 16,
+                            "endLine": 184,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "bean : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                            "index": 4
+                          },
+                          "region": {
+                            "startLine": 82,
+                            "startColumn": 40,
+                            "endLine": 82,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "getBean(...) : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                            "index": 5
+                          },
+                          "region": {
+                            "startLine": 109,
+                            "startColumn": 19,
+                            "endLine": 109,
+                            "endColumn": 31
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                            "index": 5
+                          },
+                          "region": {
+                            "startLine": 110,
+                            "startColumn": 16,
+                            "endLine": 110,
+                            "endColumn": 25
+                          }
+                        },
+                        "message": {
+                          "text": "openIdUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                            "index": 4
+                          },
+                          "region": {
+                            "startLine": 82,
+                            "startColumn": 40,
+                            "endLine": 82,
+                            "endColumn": 64
+                          }
+                        },
+                        "message": {
+                          "text": "getOpenIdUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                            "index": 4
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 47,
+                            "endLine": 86,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "openidurl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 131,
+                            "startColumn": 30,
+                            "endLine": 131,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "openIdUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 132,
+                            "startColumn": 63,
+                            "endLine": 132,
+                            "endColumn": 72
+                          }
+                        },
+                        "message": {
+                          "text": "openIdUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 48,
+                            "endLine": 94,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 42,
+                            "endLine": 97,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 90,
+                            "startColumn": 35,
+                            "endLine": 90,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 91,
+                            "startColumn": 26,
+                            "endLine": 91,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 118,
+                            "startColumn": 44,
+                            "endLine": 118,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 26,
+                            "endLine": 119,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 122,
+                            "startColumn": 44,
+                            "endLine": 122,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 40,
+                            "endLine": 127,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 374,
+                            "startColumn": 42,
+                            "endLine": 374,
+                            "endColumn": 53
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 413,
+                            "startColumn": 28,
+                            "endLine": 413,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 413,
+                            "startColumn": 28,
+                            "endLine": 413,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 413,
+                            "startColumn": 17,
+                            "endLine": 413,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "tokens [post update] : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 428,
+                            "startColumn": 16,
+                            "endLine": 428,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 31,
+                            "endLine": 127,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "tokenize(...) : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 130,
+                            "startColumn": 29,
+                            "endLine": 130,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 60,
+                            "endLine": 133,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "token : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 36,
+                            "endLine": 133,
+                            "endColumn": 66
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 162,
+                            "startColumn": 40,
+                            "endLine": 162,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "startMatcher : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 162,
+                            "startColumn": 40,
+                            "endLine": 162,
+                            "endColumn": 61
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 179,
+                            "startColumn": 68,
+                            "endLine": 179,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "tokenBody : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 179,
+                            "startColumn": 42,
+                            "endLine": 179,
+                            "endColumn": 78
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 186,
+                            "startColumn": 38,
+                            "endLine": 186,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "attributes : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 186,
+                            "startColumn": 38,
+                            "endLine": 186,
+                            "endColumn": 57
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 235,
+                            "startColumn": 67,
+                            "endLine": 235,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "val : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 235,
+                            "startColumn": 46,
+                            "endLine": 235,
+                            "endColumn": 71
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 240,
+                            "startColumn": 53,
+                            "endLine": 240,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "styles : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 240,
+                            "startColumn": 53,
+                            "endLine": 240,
+                            "endColumn": 68
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 249,
+                            "startColumn": 83,
+                            "endLine": 249,
+                            "endColumn": 93
+                          }
+                        },
+                        "message": {
+                          "text": "styleValue"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 70,
+                  "startColumn": 73,
+                  "endLine": 70,
+                  "endColumn": 75
+                }
+              },
+              "message": {
+                "text": "regular expression"
+              }
+            },
+            {
+              "id": 2,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 54,
+                  "startColumn": 28,
+                  "endLine": 54,
+                  "endColumn": 32
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 3,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 70,
+                  "startColumn": 98,
+                  "endLine": 70,
+                  "endColumn": 103
+                }
+              },
+              "message": {
+                "text": "regular expression"
+              }
+            },
+            {
+              "id": 4,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 45,
+                  "startColumn": 25,
+                  "endLine": 45,
+                  "endColumn": 29
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 5,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 68,
+                  "startColumn": 25,
+                  "endLine": 68,
+                  "endColumn": 29
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 6,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 42,
+                  "startColumn": 26,
+                  "endLine": 42,
+                  "endColumn": 30
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 7,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 75,
+                  "startColumn": 25,
+                  "endLine": 75,
+                  "endColumn": 30
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 8,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/FolderEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 46,
+                  "startColumn": 24,
+                  "endLine": 46,
+                  "endColumn": 28
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/34",
+            "github/alertNumber": 34
+          }
+        },
+        {
+          "ruleId": "java/polynomial-redos",
+          "rule": {
+            "id": "java/polynomial-redos",
+            "index": 38,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "message": {
+            "text": "This [regular expression](1) that depends on a [user-provided value](2) may run slow on strings starting with '<' and with many repetitions of '<'.\nThis [regular expression](1) that depends on a [user-provided value](3) may run slow on strings starting with '<' and with many repetitions of '<'.\nThis [regular expression](1) that depends on a [user-provided value](4) may run slow on strings starting with '<' and with many repetitions of '<'.\nThis [regular expression](1) that depends on a [user-provided value](5) may run slow on strings starting with '<' and with many repetitions of '<'.\nThis [regular expression](1) that depends on a [user-provided value](6) may run slow on strings starting with '<' and with many repetitions of '<'.\nThis [regular expression](1) that depends on a [user-provided value](7) may run slow on strings starting with '<' and with many repetitions of '<'."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                  "index": 25
+                },
+                "region": {
+                  "startLine": 290,
+                  "startColumn": 103,
+                  "endLine": 290,
+                  "endColumn": 106
+                }
+              }
+            }
+          ],
+          "correlationGuid": "98c49d16-a691-4397-87d1-0bebd5d9982a",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "ea89bbca86ba4590:1"
+          },
+          "codeFlows": [
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                            "index": 3
+                          },
+                          "region": {
+                            "startLine": 54,
+                            "startColumn": 28,
+                            "endLine": 54,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "bean : CreateUserBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                            "index": 3
+                          },
+                          "region": {
+                            "startLine": 263,
+                            "startColumn": 16,
+                            "endLine": 263,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "bean : CreateUserBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                            "index": 3
+                          },
+                          "region": {
+                            "startLine": 143,
+                            "startColumn": 13,
+                            "endLine": 143,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "getBean(...) : CreateUserBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/CreateUserBean.java",
+                            "index": 26
+                          },
+                          "region": {
+                            "startLine": 154,
+                            "startColumn": 17,
+                            "endLine": 154,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : CreateUserBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/CreateUserBean.java",
+                            "index": 26
+                          },
+                          "region": {
+                            "startLine": 156,
+                            "startColumn": 34,
+                            "endLine": 156,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "this.screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 142,
+                            "startColumn": 32,
+                            "endLine": 142,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 143,
+                            "startColumn": 64,
+                            "endLine": 143,
+                            "endColumn": 74
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 48,
+                            "endLine": 94,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 42,
+                            "endLine": 97,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 90,
+                            "startColumn": 35,
+                            "endLine": 90,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 91,
+                            "startColumn": 26,
+                            "endLine": 91,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 118,
+                            "startColumn": 44,
+                            "endLine": 118,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 26,
+                            "endLine": 119,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 122,
+                            "startColumn": 44,
+                            "endLine": 122,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 40,
+                            "endLine": 127,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 374,
+                            "startColumn": 42,
+                            "endLine": 374,
+                            "endColumn": 53
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 17,
+                            "endLine": 396,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "tokens [post update] : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 428,
+                            "startColumn": 16,
+                            "endLine": 428,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 31,
+                            "endLine": 127,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "tokenize(...) : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 130,
+                            "startColumn": 29,
+                            "endLine": 130,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 60,
+                            "endLine": 133,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "token : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 36,
+                            "endLine": 133,
+                            "endColumn": 66
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 148,
+                            "startColumn": 30,
+                            "endLine": 148,
+                            "endColumn": 42
+                          }
+                        },
+                        "message": {
+                          "text": "startMatcher : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 148,
+                            "startColumn": 30,
+                            "endLine": 148,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 148,
+                            "startColumn": 30,
+                            "endLine": 148,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "toLowerCase(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 290,
+                            "startColumn": 103,
+                            "endLine": 290,
+                            "endColumn": 106
+                          }
+                        },
+                        "message": {
+                          "text": "tag"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                            "index": 4
+                          },
+                          "region": {
+                            "startLine": 45,
+                            "startColumn": 25,
+                            "endLine": 45,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "bean : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                            "index": 4
+                          },
+                          "region": {
+                            "startLine": 184,
+                            "startColumn": 16,
+                            "endLine": 184,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "bean : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                            "index": 4
+                          },
+                          "region": {
+                            "startLine": 78,
+                            "startColumn": 13,
+                            "endLine": 78,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "getBean(...) : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                            "index": 5
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 17,
+                            "endLine": 134,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                            "index": 5
+                          },
+                          "region": {
+                            "startLine": 136,
+                            "startColumn": 34,
+                            "endLine": 136,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "this.screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 142,
+                            "startColumn": 32,
+                            "endLine": 142,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 143,
+                            "startColumn": 64,
+                            "endLine": 143,
+                            "endColumn": 74
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 48,
+                            "endLine": 94,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 42,
+                            "endLine": 97,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 90,
+                            "startColumn": 35,
+                            "endLine": 90,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 91,
+                            "startColumn": 26,
+                            "endLine": 91,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 118,
+                            "startColumn": 44,
+                            "endLine": 118,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 26,
+                            "endLine": 119,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 122,
+                            "startColumn": 44,
+                            "endLine": 122,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 40,
+                            "endLine": 127,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 374,
+                            "startColumn": 42,
+                            "endLine": 374,
+                            "endColumn": 53
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 17,
+                            "endLine": 396,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "tokens [post update] : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 428,
+                            "startColumn": 16,
+                            "endLine": 428,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 31,
+                            "endLine": 127,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "tokenize(...) : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 130,
+                            "startColumn": 29,
+                            "endLine": 130,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 60,
+                            "endLine": 133,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "token : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 36,
+                            "endLine": 133,
+                            "endColumn": 66
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 148,
+                            "startColumn": 30,
+                            "endLine": 148,
+                            "endColumn": 42
+                          }
+                        },
+                        "message": {
+                          "text": "startMatcher : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 148,
+                            "startColumn": 30,
+                            "endLine": 148,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 148,
+                            "startColumn": 30,
+                            "endLine": 148,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "toLowerCase(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 290,
+                            "startColumn": 103,
+                            "endLine": 290,
+                            "endColumn": 106
+                          }
+                        },
+                        "message": {
+                          "text": "tag"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java",
+                            "index": 6
+                          },
+                          "region": {
+                            "startLine": 68,
+                            "startColumn": 25,
+                            "endLine": 68,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "bean : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java",
+                            "index": 6
+                          },
+                          "region": {
+                            "startLine": 446,
+                            "startColumn": 16,
+                            "endLine": 446,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "bean : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java",
+                            "index": 6
+                          },
+                          "region": {
+                            "startLine": 196,
+                            "startColumn": 17,
+                            "endLine": 196,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "getBean(...) : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                            "index": 5
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 17,
+                            "endLine": 134,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                            "index": 5
+                          },
+                          "region": {
+                            "startLine": 136,
+                            "startColumn": 34,
+                            "endLine": 136,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "this.screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 142,
+                            "startColumn": 32,
+                            "endLine": 142,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 143,
+                            "startColumn": 64,
+                            "endLine": 143,
+                            "endColumn": 74
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 48,
+                            "endLine": 94,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 42,
+                            "endLine": 97,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 90,
+                            "startColumn": 35,
+                            "endLine": 90,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 91,
+                            "startColumn": 26,
+                            "endLine": 91,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 118,
+                            "startColumn": 44,
+                            "endLine": 118,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 26,
+                            "endLine": 119,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 122,
+                            "startColumn": 44,
+                            "endLine": 122,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 40,
+                            "endLine": 127,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 374,
+                            "startColumn": 42,
+                            "endLine": 374,
+                            "endColumn": 53
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 17,
+                            "endLine": 396,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "tokens [post update] : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 428,
+                            "startColumn": 16,
+                            "endLine": 428,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 31,
+                            "endLine": 127,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "tokenize(...) : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 130,
+                            "startColumn": 29,
+                            "endLine": 130,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 60,
+                            "endLine": 133,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "token : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 36,
+                            "endLine": 133,
+                            "endColumn": 66
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 148,
+                            "startColumn": 30,
+                            "endLine": 148,
+                            "endColumn": 42
+                          }
+                        },
+                        "message": {
+                          "text": "startMatcher : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 148,
+                            "startColumn": 30,
+                            "endLine": 148,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 148,
+                            "startColumn": 30,
+                            "endLine": 148,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "toLowerCase(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 290,
+                            "startColumn": 103,
+                            "endLine": 290,
+                            "endColumn": 106
+                          }
+                        },
+                        "message": {
+                          "text": "tag"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkEdit.java",
+                            "index": 27
+                          },
+                          "region": {
+                            "startLine": 42,
+                            "startColumn": 26,
+                            "endLine": 42,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "bean : BookmarkBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkEdit.java",
+                            "index": 27
+                          },
+                          "region": {
+                            "startLine": 141,
+                            "startColumn": 16,
+                            "endLine": 141,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "bean : BookmarkBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkEdit.java",
+                            "index": 27
+                          },
+                          "region": {
+                            "startLine": 103,
+                            "startColumn": 17,
+                            "endLine": 103,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "getBean(...) : BookmarkBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkBean.java",
+                            "index": 28
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 17,
+                            "endLine": 86,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : BookmarkBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkBean.java",
+                            "index": 28
+                          },
+                          "region": {
+                            "startLine": 87,
+                            "startColumn": 28,
+                            "endLine": 87,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "this.name : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogBookmark.java",
+                            "index": 29
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 25,
+                            "endLine": 97,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "name : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogBookmark.java",
+                            "index": 29
+                          },
+                          "region": {
+                            "startLine": 98,
+                            "startColumn": 58,
+                            "endLine": 98,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "name : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 48,
+                            "endLine": 94,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 42,
+                            "endLine": 97,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 90,
+                            "startColumn": 35,
+                            "endLine": 90,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 91,
+                            "startColumn": 26,
+                            "endLine": 91,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 118,
+                            "startColumn": 44,
+                            "endLine": 118,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 26,
+                            "endLine": 119,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 122,
+                            "startColumn": 44,
+                            "endLine": 122,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 40,
+                            "endLine": 127,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 374,
+                            "startColumn": 42,
+                            "endLine": 374,
+                            "endColumn": 53
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 17,
+                            "endLine": 396,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "tokens [post update] : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 428,
+                            "startColumn": 16,
+                            "endLine": 428,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 31,
+                            "endLine": 127,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "tokenize(...) : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 130,
+                            "startColumn": 29,
+                            "endLine": 130,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 60,
+                            "endLine": 133,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "token : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 36,
+                            "endLine": 133,
+                            "endColumn": 66
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 148,
+                            "startColumn": 30,
+                            "endLine": 148,
+                            "endColumn": 42
+                          }
+                        },
+                        "message": {
+                          "text": "startMatcher : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 148,
+                            "startColumn": 30,
+                            "endLine": 148,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 148,
+                            "startColumn": 30,
+                            "endLine": 148,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "toLowerCase(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 290,
+                            "startColumn": 103,
+                            "endLine": 290,
+                            "endColumn": 106
+                          }
+                        },
+                        "message": {
+                          "text": "tag"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 64,
+                  "startColumn": 65,
+                  "endLine": 64,
+                  "endColumn": 67
+                }
+              },
+              "message": {
+                "text": "regular expression"
+              }
+            },
+            {
+              "id": 2,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 54,
+                  "startColumn": 28,
+                  "endLine": 54,
+                  "endColumn": 32
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 3,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 45,
+                  "startColumn": 25,
+                  "endLine": 45,
+                  "endColumn": 29
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 4,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 68,
+                  "startColumn": 25,
+                  "endLine": 68,
+                  "endColumn": 29
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 5,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 42,
+                  "startColumn": 26,
+                  "endLine": 42,
+                  "endColumn": 30
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 6,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 75,
+                  "startColumn": 25,
+                  "endLine": 75,
+                  "endColumn": 30
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 7,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/FolderEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 46,
+                  "startColumn": 24,
+                  "endLine": 46,
+                  "endColumn": 28
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/35",
+            "github/alertNumber": 35
+          }
+        },
+        {
+          "ruleId": "java/polynomial-redos",
+          "rule": {
+            "id": "java/polynomial-redos",
+            "index": 38,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "message": {
+            "text": "This [regular expression](1) that depends on a [user-provided value](2) may run slow on strings starting with '<' and with many repetitions of '<'.\nThis [regular expression](1) that depends on a [user-provided value](3) may run slow on strings starting with '<' and with many repetitions of '<'.\nThis [regular expression](1) that depends on a [user-provided value](4) may run slow on strings starting with '<' and with many repetitions of '<'.\nThis [regular expression](1) that depends on a [user-provided value](5) may run slow on strings starting with '<' and with many repetitions of '<'.\nThis [regular expression](1) that depends on a [user-provided value](6) may run slow on strings starting with '<' and with many repetitions of '<'.\nThis [regular expression](1) that depends on a [user-provided value](7) may run slow on strings starting with '<' and with many repetitions of '<'."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                  "index": 25
+                },
+                "region": {
+                  "startLine": 308,
+                  "startColumn": 40,
+                  "endLine": 308,
+                  "endColumn": 43
+                }
+              }
+            }
+          ],
+          "correlationGuid": "5b53c901-1227-4899-94b0-02de15b8ef1b",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "7fd366a6b63e95c3:1"
+          },
+          "codeFlows": [
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                            "index": 3
+                          },
+                          "region": {
+                            "startLine": 54,
+                            "startColumn": 28,
+                            "endLine": 54,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "bean : CreateUserBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                            "index": 3
+                          },
+                          "region": {
+                            "startLine": 263,
+                            "startColumn": 16,
+                            "endLine": 263,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "bean : CreateUserBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                            "index": 3
+                          },
+                          "region": {
+                            "startLine": 143,
+                            "startColumn": 13,
+                            "endLine": 143,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "getBean(...) : CreateUserBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/CreateUserBean.java",
+                            "index": 26
+                          },
+                          "region": {
+                            "startLine": 154,
+                            "startColumn": 17,
+                            "endLine": 154,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : CreateUserBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/CreateUserBean.java",
+                            "index": 26
+                          },
+                          "region": {
+                            "startLine": 156,
+                            "startColumn": 34,
+                            "endLine": 156,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "this.screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 142,
+                            "startColumn": 32,
+                            "endLine": 142,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 143,
+                            "startColumn": 64,
+                            "endLine": 143,
+                            "endColumn": 74
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 48,
+                            "endLine": 94,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 42,
+                            "endLine": 97,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 90,
+                            "startColumn": 35,
+                            "endLine": 90,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 91,
+                            "startColumn": 26,
+                            "endLine": 91,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 118,
+                            "startColumn": 44,
+                            "endLine": 118,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 26,
+                            "endLine": 119,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 122,
+                            "startColumn": 44,
+                            "endLine": 122,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 40,
+                            "endLine": 127,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 374,
+                            "startColumn": 42,
+                            "endLine": 374,
+                            "endColumn": 53
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 17,
+                            "endLine": 396,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "tokens [post update] : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 428,
+                            "startColumn": 16,
+                            "endLine": 428,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 31,
+                            "endLine": 127,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "tokenize(...) : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 130,
+                            "startColumn": 29,
+                            "endLine": 130,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 60,
+                            "endLine": 133,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "token : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 58,
+                            "endLine": 134,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "token : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 34,
+                            "endLine": 134,
+                            "endColumn": 64
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 305,
+                            "startColumn": 30,
+                            "endLine": 305,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "endMatcher : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 305,
+                            "startColumn": 30,
+                            "endLine": 305,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 305,
+                            "startColumn": 30,
+                            "endLine": 305,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "toLowerCase(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 308,
+                            "startColumn": 40,
+                            "endLine": 308,
+                            "endColumn": 43
+                          }
+                        },
+                        "message": {
+                          "text": "tag"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                            "index": 4
+                          },
+                          "region": {
+                            "startLine": 45,
+                            "startColumn": 25,
+                            "endLine": 45,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "bean : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                            "index": 4
+                          },
+                          "region": {
+                            "startLine": 184,
+                            "startColumn": 16,
+                            "endLine": 184,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "bean : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                            "index": 4
+                          },
+                          "region": {
+                            "startLine": 78,
+                            "startColumn": 13,
+                            "endLine": 78,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "getBean(...) : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                            "index": 5
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 17,
+                            "endLine": 134,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                            "index": 5
+                          },
+                          "region": {
+                            "startLine": 136,
+                            "startColumn": 34,
+                            "endLine": 136,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "this.screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 142,
+                            "startColumn": 32,
+                            "endLine": 142,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 143,
+                            "startColumn": 64,
+                            "endLine": 143,
+                            "endColumn": 74
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 48,
+                            "endLine": 94,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 42,
+                            "endLine": 97,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 90,
+                            "startColumn": 35,
+                            "endLine": 90,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 91,
+                            "startColumn": 26,
+                            "endLine": 91,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 118,
+                            "startColumn": 44,
+                            "endLine": 118,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 26,
+                            "endLine": 119,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 122,
+                            "startColumn": 44,
+                            "endLine": 122,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 40,
+                            "endLine": 127,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 374,
+                            "startColumn": 42,
+                            "endLine": 374,
+                            "endColumn": 53
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 17,
+                            "endLine": 396,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "tokens [post update] : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 428,
+                            "startColumn": 16,
+                            "endLine": 428,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 31,
+                            "endLine": 127,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "tokenize(...) : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 130,
+                            "startColumn": 29,
+                            "endLine": 130,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 60,
+                            "endLine": 133,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "token : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 58,
+                            "endLine": 134,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "token : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 34,
+                            "endLine": 134,
+                            "endColumn": 64
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 305,
+                            "startColumn": 30,
+                            "endLine": 305,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "endMatcher : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 305,
+                            "startColumn": 30,
+                            "endLine": 305,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 305,
+                            "startColumn": 30,
+                            "endLine": 305,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "toLowerCase(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 308,
+                            "startColumn": 40,
+                            "endLine": 308,
+                            "endColumn": 43
+                          }
+                        },
+                        "message": {
+                          "text": "tag"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java",
+                            "index": 6
+                          },
+                          "region": {
+                            "startLine": 68,
+                            "startColumn": 25,
+                            "endLine": 68,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "bean : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java",
+                            "index": 6
+                          },
+                          "region": {
+                            "startLine": 446,
+                            "startColumn": 16,
+                            "endLine": 446,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "bean : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java",
+                            "index": 6
+                          },
+                          "region": {
+                            "startLine": 196,
+                            "startColumn": 17,
+                            "endLine": 196,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "getBean(...) : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                            "index": 5
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 17,
+                            "endLine": 134,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : ProfileBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/ProfileBean.java",
+                            "index": 5
+                          },
+                          "region": {
+                            "startLine": 136,
+                            "startColumn": 34,
+                            "endLine": 136,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "this.screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 142,
+                            "startColumn": 32,
+                            "endLine": 142,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/User.java",
+                            "index": 2
+                          },
+                          "region": {
+                            "startLine": 143,
+                            "startColumn": 64,
+                            "endLine": 143,
+                            "endColumn": 74
+                          }
+                        },
+                        "message": {
+                          "text": "screenName : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 48,
+                            "endLine": 94,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 42,
+                            "endLine": 97,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 90,
+                            "startColumn": 35,
+                            "endLine": 90,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 91,
+                            "startColumn": 26,
+                            "endLine": 91,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 118,
+                            "startColumn": 44,
+                            "endLine": 118,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 26,
+                            "endLine": 119,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 122,
+                            "startColumn": 44,
+                            "endLine": 122,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 40,
+                            "endLine": 127,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 374,
+                            "startColumn": 42,
+                            "endLine": 374,
+                            "endColumn": 53
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 17,
+                            "endLine": 396,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "tokens [post update] : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 428,
+                            "startColumn": 16,
+                            "endLine": 428,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 31,
+                            "endLine": 127,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "tokenize(...) : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 130,
+                            "startColumn": 29,
+                            "endLine": 130,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 60,
+                            "endLine": 133,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "token : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 58,
+                            "endLine": 134,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "token : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 34,
+                            "endLine": 134,
+                            "endColumn": 64
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 305,
+                            "startColumn": 30,
+                            "endLine": 305,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "endMatcher : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 305,
+                            "startColumn": 30,
+                            "endLine": 305,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 305,
+                            "startColumn": 30,
+                            "endLine": 305,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "toLowerCase(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 308,
+                            "startColumn": 40,
+                            "endLine": 308,
+                            "endColumn": 43
+                          }
+                        },
+                        "message": {
+                          "text": "tag"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkEdit.java",
+                            "index": 27
+                          },
+                          "region": {
+                            "startLine": 42,
+                            "startColumn": 26,
+                            "endLine": 42,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "bean : BookmarkBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkEdit.java",
+                            "index": 27
+                          },
+                          "region": {
+                            "startLine": 141,
+                            "startColumn": 16,
+                            "endLine": 141,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "bean : BookmarkBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkEdit.java",
+                            "index": 27
+                          },
+                          "region": {
+                            "startLine": 103,
+                            "startColumn": 17,
+                            "endLine": 103,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "getBean(...) : BookmarkBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkBean.java",
+                            "index": 28
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 17,
+                            "endLine": 86,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : BookmarkBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkBean.java",
+                            "index": 28
+                          },
+                          "region": {
+                            "startLine": 87,
+                            "startColumn": 28,
+                            "endLine": 87,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "this.name : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogBookmark.java",
+                            "index": 29
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 25,
+                            "endLine": 97,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "name : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogBookmark.java",
+                            "index": 29
+                          },
+                          "region": {
+                            "startLine": 98,
+                            "startColumn": 58,
+                            "endLine": 98,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "name : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 94,
+                            "startColumn": 48,
+                            "endLine": 94,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 97,
+                            "startColumn": 42,
+                            "endLine": 97,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 90,
+                            "startColumn": 35,
+                            "endLine": 90,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 91,
+                            "startColumn": 26,
+                            "endLine": 91,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 118,
+                            "startColumn": 44,
+                            "endLine": 118,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 26,
+                            "endLine": 119,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 122,
+                            "startColumn": 44,
+                            "endLine": 122,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 40,
+                            "endLine": 127,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 374,
+                            "startColumn": 42,
+                            "endLine": 374,
+                            "endColumn": 53
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "html : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 28,
+                            "endLine": 396,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 396,
+                            "startColumn": 17,
+                            "endLine": 396,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "tokens [post update] : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 428,
+                            "startColumn": 16,
+                            "endLine": 428,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 127,
+                            "startColumn": 31,
+                            "endLine": 127,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "tokenize(...) : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 130,
+                            "startColumn": 29,
+                            "endLine": 130,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "tokens : ArrayList [] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 133,
+                            "startColumn": 60,
+                            "endLine": 133,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "token : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 58,
+                            "endLine": 134,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "token : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 34,
+                            "endLine": 134,
+                            "endColumn": 64
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 305,
+                            "startColumn": 30,
+                            "endLine": 305,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "endMatcher : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 305,
+                            "startColumn": 30,
+                            "endLine": 305,
+                            "endColumn": 49
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 305,
+                            "startColumn": 30,
+                            "endLine": 305,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "toLowerCase(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                            "index": 25
+                          },
+                          "region": {
+                            "startLine": 308,
+                            "startColumn": 40,
+                            "endLine": 308,
+                            "endColumn": 43
+                          }
+                        },
+                        "message": {
+                          "text": "tag"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 64,
+                  "startColumn": 65,
+                  "endLine": 64,
+                  "endColumn": 67
+                }
+              },
+              "message": {
+                "text": "regular expression"
+              }
+            },
+            {
+              "id": 2,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/admin/UserEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 54,
+                  "startColumn": 28,
+                  "endLine": 54,
+                  "endColumn": 32
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 3,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 45,
+                  "startColumn": 25,
+                  "endLine": 45,
+                  "endColumn": 29
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 4,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Register.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 68,
+                  "startColumn": 25,
+                  "endLine": 68,
+                  "endColumn": 29
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 5,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 42,
+                  "startColumn": 26,
+                  "endLine": 42,
+                  "endColumn": 30
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 6,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 75,
+                  "startColumn": 25,
+                  "endLine": 75,
+                  "endColumn": 30
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 7,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/FolderEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 46,
+                  "startColumn": 24,
+                  "endLine": 46,
+                  "endColumn": 28
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/36",
+            "github/alertNumber": 36
+          }
+        },
+        {
+          "ruleId": "java/regex-injection",
+          "rule": {
+            "id": "java/regex-injection",
+            "index": 41,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "level": "error",
+          "message": {
+            "text": "This regular expression is constructed from a [user-provided value](1).\nThis regular expression is constructed from a [user-provided value](2)."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                  "index": 20
+                },
+                "region": {
+                  "startLine": 49,
+                  "startColumn": 36,
+                  "endLine": 49,
+                  "endColumn": 51
+                }
+              }
+            }
+          ],
+          "correlationGuid": "1923e2ac-ef5c-43bf-b786-86bf2b341004",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "77bb988d556b367:1"
+          },
+          "codeFlows": [
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 25,
+                            "endLine": 75,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 323,
+                            "startColumn": 16,
+                            "endLine": 323,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 53,
+                            "endLine": 387,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "getEntry(...) : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 22,
+                            "endLine": 58,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 21,
+                            "endLine": 89,
+                            "endColumn": 27
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 13,
+                            "endLine": 89,
+                            "endColumn": 18
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> [post update] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 12,
+                            "endLine": 58,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this [Return] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 39,
+                            "endLine": 388,
+                            "endColumn": 43
+                          }
+                        },
+                        "message": {
+                          "text": "new Trackback(...) : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 389,
+                            "startColumn": 27,
+                            "endLine": 389,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "trackback : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 100,
+                            "startColumn": 27,
+                            "endLine": 100,
+                            "endColumn": 31
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1018,
+                            "startColumn": 19,
+                            "endLine": 1018,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1019,
+                            "startColumn": 16,
+                            "endLine": 1019,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 980,
+                            "startColumn": 19,
+                            "endLine": 980,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 988,
+                            "startColumn": 34,
+                            "endLine": 988,
+                            "endColumn": 38
+                          }
+                        },
+                        "message": {
+                          "text": "this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 897,
+                            "startColumn": 19,
+                            "endLine": 897,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 898,
+                            "startColumn": 23,
+                            "endLine": 898,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 302,
+                            "startColumn": 19,
+                            "endLine": 302,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 303,
+                            "startColumn": 16,
+                            "endLine": 303,
+                            "endColumn": 25
+                          }
+                        },
+                        "message": {
+                          "text": "this.text : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 898,
+                            "startColumn": 23,
+                            "endLine": 898,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "getText(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 943,
+                            "startColumn": 27,
+                            "endLine": 943,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 960,
+                            "startColumn": 59,
+                            "endLine": 960,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 65,
+                            "startColumn": 45,
+                            "endLine": 65,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 38,
+                            "endLine": 66,
+                            "endColumn": 41
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 41,
+                            "startColumn": 38,
+                            "endLine": 41,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 44,
+                            "startColumn": 54,
+                            "endLine": 44,
+                            "endColumn": 57
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 44,
+                            "startColumn": 31,
+                            "endLine": 44,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 46,
+                            "startColumn": 28,
+                            "endLine": 46,
+                            "endColumn": 39
+                          }
+                        },
+                        "message": {
+                          "text": "mailtoMatch : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 46,
+                            "startColumn": 28,
+                            "endLine": 46,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 49,
+                            "startColumn": 36,
+                            "endLine": 49,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "... + ..."
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 25,
+                            "endLine": 75,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 323,
+                            "startColumn": 16,
+                            "endLine": 323,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 53,
+                            "endLine": 387,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "getEntry(...) : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 22,
+                            "endLine": 58,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 21,
+                            "endLine": 89,
+                            "endColumn": 27
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 13,
+                            "endLine": 89,
+                            "endColumn": 18
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> [post update] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 12,
+                            "endLine": 58,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this [Return] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 39,
+                            "endLine": 388,
+                            "endColumn": 43
+                          }
+                        },
+                        "message": {
+                          "text": "new Trackback(...) : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 389,
+                            "startColumn": 27,
+                            "endLine": 389,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "trackback : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 100,
+                            "startColumn": 27,
+                            "endLine": 100,
+                            "endColumn": 31
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 107,
+                            "startColumn": 24,
+                            "endLine": 107,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 107,
+                            "startColumn": 24,
+                            "endLine": 107,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1018,
+                            "startColumn": 19,
+                            "endLine": 1018,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1019,
+                            "startColumn": 16,
+                            "endLine": 1019,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 980,
+                            "startColumn": 19,
+                            "endLine": 980,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 990,
+                            "startColumn": 34,
+                            "endLine": 990,
+                            "endColumn": 38
+                          }
+                        },
+                        "message": {
+                          "text": "this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 904,
+                            "startColumn": 19,
+                            "endLine": 904,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 905,
+                            "startColumn": 23,
+                            "endLine": 905,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 274,
+                            "startColumn": 19,
+                            "endLine": 274,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 275,
+                            "startColumn": 16,
+                            "endLine": 275,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "summary : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 905,
+                            "startColumn": 23,
+                            "endLine": 905,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "getSummary(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 943,
+                            "startColumn": 27,
+                            "endLine": 943,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 960,
+                            "startColumn": 59,
+                            "endLine": 960,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 65,
+                            "startColumn": 45,
+                            "endLine": 65,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 38,
+                            "endLine": 66,
+                            "endColumn": 41
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 41,
+                            "startColumn": 38,
+                            "endLine": 41,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 44,
+                            "startColumn": 54,
+                            "endLine": 44,
+                            "endColumn": 57
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 44,
+                            "startColumn": 31,
+                            "endLine": 44,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 46,
+                            "startColumn": 28,
+                            "endLine": 46,
+                            "endColumn": 39
+                          }
+                        },
+                        "message": {
+                          "text": "mailtoMatch : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 46,
+                            "startColumn": 28,
+                            "endLine": 46,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 49,
+                            "startColumn": 36,
+                            "endLine": 49,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "... + ..."
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "getRequestURL(...) : StringBuffer"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 99,
+                            "startColumn": 118,
+                            "endLine": 99,
+                            "endColumn": 135
+                          }
+                        },
+                        "message": {
+                          "text": "requestURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 116,
+                            "startColumn": 40,
+                            "endLine": 116,
+                            "endColumn": 47
+                          }
+                        },
+                        "message": {
+                          "text": "fullUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 137,
+                            "startColumn": 49,
+                            "endLine": 137,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 141,
+                            "startColumn": 16,
+                            "endLine": 141,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 116,
+                            "startColumn": 20,
+                            "endLine": 116,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "removeTrailingSlash(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 16,
+                            "endLine": 88,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 34,
+                            "endLine": 66,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 69,
+                            "startColumn": 62,
+                            "endLine": 69,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "absPath : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 175,
+                            "startColumn": 46,
+                            "endLine": 175,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 176,
+                            "startColumn": 30,
+                            "endLine": 176,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 51,
+                            "startColumn": 27,
+                            "endLine": 51,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 195,
+                            "startColumn": 16,
+                            "endLine": 195,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 85,
+                            "startColumn": 30,
+                            "endLine": 85,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteContextURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 96,
+                            "startColumn": 32,
+                            "endLine": 101,
+                            "endColumn": 57
+                          }
+                        },
+                        "message": {
+                          "text": "... + ... : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 96,
+                            "startColumn": 17,
+                            "endLine": 96,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tempS [post update] : String[] [[]] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 106,
+                            "startColumn": 39,
+                            "endLine": 106,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "tempS : String[] [[]] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 42,
+                            "startColumn": 21,
+                            "endLine": 42,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "imageTags : String[] [[]] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 39,
+                            "endLine": 119,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "imageTags : String[] [[]] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 39,
+                            "endLine": 119,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "...[...] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 20,
+                            "endLine": 119,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "replaceAll(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 121,
+                            "startColumn": 16,
+                            "endLine": 121,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "text : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/PluginManagerImpl.java",
+                            "index": 31
+                          },
+                          "region": {
+                            "startLine": 102,
+                            "startColumn": 23,
+                            "endLine": 102,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "render(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/PluginManagerImpl.java",
+                            "index": 31
+                          },
+                          "region": {
+                            "startLine": 102,
+                            "startColumn": 48,
+                            "endLine": 102,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 65,
+                            "startColumn": 45,
+                            "endLine": 65,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 38,
+                            "endLine": 66,
+                            "endColumn": 41
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 41,
+                            "startColumn": 38,
+                            "endLine": 41,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 44,
+                            "startColumn": 54,
+                            "endLine": 44,
+                            "endColumn": 57
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 44,
+                            "startColumn": 31,
+                            "endLine": 44,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 46,
+                            "startColumn": 28,
+                            "endLine": 46,
+                            "endColumn": 39
+                          }
+                        },
+                        "message": {
+                          "text": "mailtoMatch : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 46,
+                            "startColumn": 28,
+                            "endLine": 46,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 49,
+                            "startColumn": 36,
+                            "endLine": 49,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "... + ..."
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "getRequestURL(...) : StringBuffer"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 99,
+                            "startColumn": 118,
+                            "endLine": 99,
+                            "endColumn": 135
+                          }
+                        },
+                        "message": {
+                          "text": "requestURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 125,
+                            "startColumn": 19,
+                            "endLine": 125,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "fullUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 125,
+                            "startColumn": 19,
+                            "endLine": 125,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 36,
+                            "endLine": 134,
+                            "endColumn": 39
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 137,
+                            "startColumn": 49,
+                            "endLine": 137,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 139,
+                            "startColumn": 20,
+                            "endLine": 139,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 139,
+                            "startColumn": 20,
+                            "endLine": 139,
+                            "endColumn": 54
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 16,
+                            "endLine": 134,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "removeTrailingSlash(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 16,
+                            "endLine": 88,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 34,
+                            "endLine": 66,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 69,
+                            "startColumn": 62,
+                            "endLine": 69,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "absPath : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 175,
+                            "startColumn": 46,
+                            "endLine": 175,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 176,
+                            "startColumn": 30,
+                            "endLine": 176,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 51,
+                            "startColumn": 27,
+                            "endLine": 51,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 195,
+                            "startColumn": 16,
+                            "endLine": 195,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 85,
+                            "startColumn": 30,
+                            "endLine": 85,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteContextURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 96,
+                            "startColumn": 32,
+                            "endLine": 101,
+                            "endColumn": 57
+                          }
+                        },
+                        "message": {
+                          "text": "... + ... : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 96,
+                            "startColumn": 17,
+                            "endLine": 96,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tempS [post update] : String[] [[]] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 106,
+                            "startColumn": 39,
+                            "endLine": 106,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "tempS : String[] [[]] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 42,
+                            "startColumn": 21,
+                            "endLine": 42,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "imageTags : String[] [[]] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 39,
+                            "endLine": 119,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "imageTags : String[] [[]] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 39,
+                            "endLine": 119,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "...[...] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 20,
+                            "endLine": 119,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "replaceAll(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 121,
+                            "startColumn": 16,
+                            "endLine": 121,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "text : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 960,
+                            "startColumn": 35,
+                            "endLine": 960,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "render(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 960,
+                            "startColumn": 59,
+                            "endLine": 960,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 65,
+                            "startColumn": 45,
+                            "endLine": 65,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 38,
+                            "endLine": 66,
+                            "endColumn": 41
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 41,
+                            "startColumn": 38,
+                            "endLine": 41,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 44,
+                            "startColumn": 54,
+                            "endLine": 44,
+                            "endColumn": 57
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 44,
+                            "startColumn": 31,
+                            "endLine": 44,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 46,
+                            "startColumn": 28,
+                            "endLine": 46,
+                            "endColumn": 39
+                          }
+                        },
+                        "message": {
+                          "text": "mailtoMatch : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 46,
+                            "startColumn": 28,
+                            "endLine": 46,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 49,
+                            "startColumn": 36,
+                            "endLine": 49,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "... + ..."
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 75,
+                  "startColumn": 25,
+                  "endLine": 75,
+                  "endColumn": 30
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 2,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 88,
+                  "startColumn": 42,
+                  "endLine": 88,
+                  "endColumn": 65
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/37",
+            "github/alertNumber": 37
+          }
+        },
+        {
+          "ruleId": "java/regex-injection",
+          "rule": {
+            "id": "java/regex-injection",
+            "index": 41,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "level": "error",
+          "message": {
+            "text": "This regular expression is constructed from a [user-provided value](1).\nThis regular expression is constructed from a [user-provided value](2)."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                  "index": 20
+                },
+                "region": {
+                  "startLine": 66,
+                  "startColumn": 36,
+                  "endLine": 66,
+                  "endColumn": 38
+                }
+              }
+            }
+          ],
+          "correlationGuid": "f7e56bbc-467c-4e07-a916-b3b3c362a229",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "e97d22a8b2a0b291:1"
+          },
+          "codeFlows": [
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 25,
+                            "endLine": 75,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 323,
+                            "startColumn": 16,
+                            "endLine": 323,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 53,
+                            "endLine": 387,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "getEntry(...) : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 22,
+                            "endLine": 58,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 21,
+                            "endLine": 89,
+                            "endColumn": 27
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 13,
+                            "endLine": 89,
+                            "endColumn": 18
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> [post update] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 12,
+                            "endLine": 58,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this [Return] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 39,
+                            "endLine": 388,
+                            "endColumn": 43
+                          }
+                        },
+                        "message": {
+                          "text": "new Trackback(...) : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 389,
+                            "startColumn": 27,
+                            "endLine": 389,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "trackback : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 100,
+                            "startColumn": 27,
+                            "endLine": 100,
+                            "endColumn": 31
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1018,
+                            "startColumn": 19,
+                            "endLine": 1018,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1019,
+                            "startColumn": 16,
+                            "endLine": 1019,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 980,
+                            "startColumn": 19,
+                            "endLine": 980,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 988,
+                            "startColumn": 34,
+                            "endLine": 988,
+                            "endColumn": 38
+                          }
+                        },
+                        "message": {
+                          "text": "this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 897,
+                            "startColumn": 19,
+                            "endLine": 897,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 898,
+                            "startColumn": 23,
+                            "endLine": 898,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 302,
+                            "startColumn": 19,
+                            "endLine": 302,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 303,
+                            "startColumn": 16,
+                            "endLine": 303,
+                            "endColumn": 25
+                          }
+                        },
+                        "message": {
+                          "text": "this.text : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 898,
+                            "startColumn": 23,
+                            "endLine": 898,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "getText(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 943,
+                            "startColumn": 27,
+                            "endLine": 943,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 960,
+                            "startColumn": 59,
+                            "endLine": 960,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 65,
+                            "startColumn": 45,
+                            "endLine": 65,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 38,
+                            "endLine": 66,
+                            "endColumn": 41
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 41,
+                            "startColumn": 38,
+                            "endLine": 41,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 52,
+                            "startColumn": 31,
+                            "endLine": 52,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 61,
+                            "startColumn": 41,
+                            "endLine": 61,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 62,
+                            "startColumn": 52,
+                            "endLine": 62,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 62,
+                            "startColumn": 30,
+                            "endLine": 62,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 64,
+                            "startColumn": 25,
+                            "endLine": 64,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "emailMatch : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 64,
+                            "startColumn": 25,
+                            "endLine": 64,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 36,
+                            "endLine": 66,
+                            "endColumn": 38
+                          }
+                        },
+                        "message": {
+                          "text": "at"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 25,
+                            "endLine": 75,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 323,
+                            "startColumn": 16,
+                            "endLine": 323,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 53,
+                            "endLine": 387,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "getEntry(...) : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 22,
+                            "endLine": 58,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 21,
+                            "endLine": 89,
+                            "endColumn": 27
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 13,
+                            "endLine": 89,
+                            "endColumn": 18
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> [post update] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 12,
+                            "endLine": 58,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this [Return] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 39,
+                            "endLine": 388,
+                            "endColumn": 43
+                          }
+                        },
+                        "message": {
+                          "text": "new Trackback(...) : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 389,
+                            "startColumn": 27,
+                            "endLine": 389,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "trackback : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 100,
+                            "startColumn": 27,
+                            "endLine": 100,
+                            "endColumn": 31
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 107,
+                            "startColumn": 24,
+                            "endLine": 107,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 107,
+                            "startColumn": 24,
+                            "endLine": 107,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1018,
+                            "startColumn": 19,
+                            "endLine": 1018,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1019,
+                            "startColumn": 16,
+                            "endLine": 1019,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 980,
+                            "startColumn": 19,
+                            "endLine": 980,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 990,
+                            "startColumn": 34,
+                            "endLine": 990,
+                            "endColumn": 38
+                          }
+                        },
+                        "message": {
+                          "text": "this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 904,
+                            "startColumn": 19,
+                            "endLine": 904,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 905,
+                            "startColumn": 23,
+                            "endLine": 905,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 274,
+                            "startColumn": 19,
+                            "endLine": 274,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 275,
+                            "startColumn": 16,
+                            "endLine": 275,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "summary : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 905,
+                            "startColumn": 23,
+                            "endLine": 905,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "getSummary(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 943,
+                            "startColumn": 27,
+                            "endLine": 943,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 960,
+                            "startColumn": 59,
+                            "endLine": 960,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 65,
+                            "startColumn": 45,
+                            "endLine": 65,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 38,
+                            "endLine": 66,
+                            "endColumn": 41
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 41,
+                            "startColumn": 38,
+                            "endLine": 41,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 49,
+                            "startColumn": 19,
+                            "endLine": 49,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 49,
+                            "startColumn": 19,
+                            "endLine": 49,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "replaceFirst(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 52,
+                            "startColumn": 31,
+                            "endLine": 52,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 61,
+                            "startColumn": 41,
+                            "endLine": 61,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 62,
+                            "startColumn": 52,
+                            "endLine": 62,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 62,
+                            "startColumn": 30,
+                            "endLine": 62,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 64,
+                            "startColumn": 25,
+                            "endLine": 64,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "emailMatch : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 64,
+                            "startColumn": 25,
+                            "endLine": 64,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 36,
+                            "endLine": 66,
+                            "endColumn": 38
+                          }
+                        },
+                        "message": {
+                          "text": "at"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "getRequestURL(...) : StringBuffer"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 99,
+                            "startColumn": 118,
+                            "endLine": 99,
+                            "endColumn": 135
+                          }
+                        },
+                        "message": {
+                          "text": "requestURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 116,
+                            "startColumn": 40,
+                            "endLine": 116,
+                            "endColumn": 47
+                          }
+                        },
+                        "message": {
+                          "text": "fullUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 137,
+                            "startColumn": 49,
+                            "endLine": 137,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 141,
+                            "startColumn": 16,
+                            "endLine": 141,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 116,
+                            "startColumn": 20,
+                            "endLine": 116,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "removeTrailingSlash(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 16,
+                            "endLine": 88,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 34,
+                            "endLine": 66,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 69,
+                            "startColumn": 62,
+                            "endLine": 69,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "absPath : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 175,
+                            "startColumn": 46,
+                            "endLine": 175,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 176,
+                            "startColumn": 30,
+                            "endLine": 176,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 51,
+                            "startColumn": 27,
+                            "endLine": 51,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 195,
+                            "startColumn": 16,
+                            "endLine": 195,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 85,
+                            "startColumn": 30,
+                            "endLine": 85,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteContextURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 96,
+                            "startColumn": 32,
+                            "endLine": 101,
+                            "endColumn": 57
+                          }
+                        },
+                        "message": {
+                          "text": "... + ... : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 96,
+                            "startColumn": 17,
+                            "endLine": 96,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tempS [post update] : String[] [[]] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 106,
+                            "startColumn": 39,
+                            "endLine": 106,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "tempS : String[] [[]] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 42,
+                            "startColumn": 21,
+                            "endLine": 42,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "imageTags : String[] [[]] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 39,
+                            "endLine": 119,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "imageTags : String[] [[]] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 39,
+                            "endLine": 119,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "...[...] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 20,
+                            "endLine": 119,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "replaceAll(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 121,
+                            "startColumn": 16,
+                            "endLine": 121,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "text : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/PluginManagerImpl.java",
+                            "index": 31
+                          },
+                          "region": {
+                            "startLine": 102,
+                            "startColumn": 23,
+                            "endLine": 102,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "render(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/PluginManagerImpl.java",
+                            "index": 31
+                          },
+                          "region": {
+                            "startLine": 102,
+                            "startColumn": 48,
+                            "endLine": 102,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 65,
+                            "startColumn": 45,
+                            "endLine": 65,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 38,
+                            "endLine": 66,
+                            "endColumn": 41
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 41,
+                            "startColumn": 38,
+                            "endLine": 41,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 52,
+                            "startColumn": 31,
+                            "endLine": 52,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 61,
+                            "startColumn": 41,
+                            "endLine": 61,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 62,
+                            "startColumn": 52,
+                            "endLine": 62,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 62,
+                            "startColumn": 30,
+                            "endLine": 62,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 64,
+                            "startColumn": 25,
+                            "endLine": 64,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "emailMatch : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 64,
+                            "startColumn": 25,
+                            "endLine": 64,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 36,
+                            "endLine": 66,
+                            "endColumn": 38
+                          }
+                        },
+                        "message": {
+                          "text": "at"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "getRequestURL(...) : StringBuffer"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 99,
+                            "startColumn": 118,
+                            "endLine": 99,
+                            "endColumn": 135
+                          }
+                        },
+                        "message": {
+                          "text": "requestURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 125,
+                            "startColumn": 19,
+                            "endLine": 125,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "fullUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 125,
+                            "startColumn": 19,
+                            "endLine": 125,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 36,
+                            "endLine": 134,
+                            "endColumn": 39
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 137,
+                            "startColumn": 49,
+                            "endLine": 137,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 139,
+                            "startColumn": 20,
+                            "endLine": 139,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 139,
+                            "startColumn": 20,
+                            "endLine": 139,
+                            "endColumn": 54
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 16,
+                            "endLine": 134,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "removeTrailingSlash(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 16,
+                            "endLine": 88,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 34,
+                            "endLine": 66,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 69,
+                            "startColumn": 62,
+                            "endLine": 69,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "absPath : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 175,
+                            "startColumn": 46,
+                            "endLine": 175,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 176,
+                            "startColumn": 30,
+                            "endLine": 176,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 51,
+                            "startColumn": 27,
+                            "endLine": 51,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 195,
+                            "startColumn": 16,
+                            "endLine": 195,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 85,
+                            "startColumn": 30,
+                            "endLine": 85,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteContextURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 96,
+                            "startColumn": 32,
+                            "endLine": 101,
+                            "endColumn": 57
+                          }
+                        },
+                        "message": {
+                          "text": "... + ... : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 96,
+                            "startColumn": 17,
+                            "endLine": 96,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tempS [post update] : String[] [[]] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 106,
+                            "startColumn": 39,
+                            "endLine": 106,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "tempS : String[] [[]] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 42,
+                            "startColumn": 21,
+                            "endLine": 42,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "imageTags : String[] [[]] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 39,
+                            "endLine": 119,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "imageTags : String[] [[]] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 39,
+                            "endLine": 119,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "...[...] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 20,
+                            "endLine": 119,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "replaceAll(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 121,
+                            "startColumn": 16,
+                            "endLine": 121,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "text : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 960,
+                            "startColumn": 35,
+                            "endLine": 960,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "render(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 960,
+                            "startColumn": 59,
+                            "endLine": 960,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 65,
+                            "startColumn": 45,
+                            "endLine": 65,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 38,
+                            "endLine": 66,
+                            "endColumn": 41
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 41,
+                            "startColumn": 38,
+                            "endLine": 41,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 49,
+                            "startColumn": 19,
+                            "endLine": 49,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 49,
+                            "startColumn": 19,
+                            "endLine": 49,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "replaceFirst(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 52,
+                            "startColumn": 31,
+                            "endLine": 52,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 61,
+                            "startColumn": 41,
+                            "endLine": 61,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 62,
+                            "startColumn": 52,
+                            "endLine": 62,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 62,
+                            "startColumn": 30,
+                            "endLine": 62,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 64,
+                            "startColumn": 25,
+                            "endLine": 64,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "emailMatch : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 64,
+                            "startColumn": 25,
+                            "endLine": 64,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 36,
+                            "endLine": 66,
+                            "endColumn": 38
+                          }
+                        },
+                        "message": {
+                          "text": "at"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 75,
+                  "startColumn": 25,
+                  "endLine": 75,
+                  "endColumn": 30
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 2,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 88,
+                  "startColumn": 42,
+                  "endLine": 88,
+                  "endColumn": 65
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/38",
+            "github/alertNumber": 38
+          }
+        },
+        {
+          "ruleId": "java/regex-injection",
+          "rule": {
+            "id": "java/regex-injection",
+            "index": 41,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "level": "error",
+          "message": {
+            "text": "This regular expression is constructed from a [user-provided value](1).\nThis regular expression is constructed from a [user-provided value](2)."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                  "index": 20
+                },
+                "region": {
+                  "startLine": 71,
+                  "startColumn": 36,
+                  "endLine": 71,
+                  "endColumn": 39
+                }
+              }
+            }
+          ],
+          "correlationGuid": "49c124bf-2a10-4623-9976-3376d4c86436",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "9713a8da9d6dd391:1"
+          },
+          "codeFlows": [
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 25,
+                            "endLine": 75,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 323,
+                            "startColumn": 16,
+                            "endLine": 323,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 53,
+                            "endLine": 387,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "getEntry(...) : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 22,
+                            "endLine": 58,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 21,
+                            "endLine": 89,
+                            "endColumn": 27
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 13,
+                            "endLine": 89,
+                            "endColumn": 18
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> [post update] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 12,
+                            "endLine": 58,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this [Return] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 39,
+                            "endLine": 388,
+                            "endColumn": 43
+                          }
+                        },
+                        "message": {
+                          "text": "new Trackback(...) : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 389,
+                            "startColumn": 27,
+                            "endLine": 389,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "trackback : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 100,
+                            "startColumn": 27,
+                            "endLine": 100,
+                            "endColumn": 31
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1018,
+                            "startColumn": 19,
+                            "endLine": 1018,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1019,
+                            "startColumn": 16,
+                            "endLine": 1019,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 980,
+                            "startColumn": 19,
+                            "endLine": 980,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 988,
+                            "startColumn": 34,
+                            "endLine": 988,
+                            "endColumn": 38
+                          }
+                        },
+                        "message": {
+                          "text": "this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 897,
+                            "startColumn": 19,
+                            "endLine": 897,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 898,
+                            "startColumn": 23,
+                            "endLine": 898,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 302,
+                            "startColumn": 19,
+                            "endLine": 302,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 303,
+                            "startColumn": 16,
+                            "endLine": 303,
+                            "endColumn": 25
+                          }
+                        },
+                        "message": {
+                          "text": "this.text : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 898,
+                            "startColumn": 23,
+                            "endLine": 898,
+                            "endColumn": 32
+                          }
+                        },
+                        "message": {
+                          "text": "getText(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 943,
+                            "startColumn": 27,
+                            "endLine": 943,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 960,
+                            "startColumn": 59,
+                            "endLine": 960,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 65,
+                            "startColumn": 45,
+                            "endLine": 65,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 38,
+                            "endLine": 66,
+                            "endColumn": 41
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 41,
+                            "startColumn": 38,
+                            "endLine": 41,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 52,
+                            "startColumn": 31,
+                            "endLine": 52,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 61,
+                            "startColumn": 41,
+                            "endLine": 61,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 62,
+                            "startColumn": 52,
+                            "endLine": 62,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 62,
+                            "startColumn": 30,
+                            "endLine": 62,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 68,
+                            "startColumn": 26,
+                            "endLine": 68,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "emailMatch : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 68,
+                            "startColumn": 26,
+                            "endLine": 68,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 71,
+                            "startColumn": 36,
+                            "endLine": 71,
+                            "endColumn": 39
+                          }
+                        },
+                        "message": {
+                          "text": "dot"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 25,
+                            "endLine": 75,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 323,
+                            "startColumn": 16,
+                            "endLine": 323,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 53,
+                            "endLine": 387,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "getEntry(...) : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 22,
+                            "endLine": 58,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 21,
+                            "endLine": 89,
+                            "endColumn": 27
+                          }
+                        },
+                        "message": {
+                          "text": "tEntry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 89,
+                            "startColumn": 13,
+                            "endLine": 89,
+                            "endColumn": 18
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> [post update] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 58,
+                            "startColumn": 12,
+                            "endLine": 58,
+                            "endColumn": 21
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this [Return] : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 387,
+                            "startColumn": 39,
+                            "endLine": 388,
+                            "endColumn": 43
+                          }
+                        },
+                        "message": {
+                          "text": "new Trackback(...) : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 389,
+                            "startColumn": 27,
+                            "endLine": 389,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "trackback : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 100,
+                            "startColumn": 27,
+                            "endLine": 100,
+                            "endColumn": 31
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 107,
+                            "startColumn": 24,
+                            "endLine": 107,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "this <.field> : Trackback [entry] : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 107,
+                            "startColumn": 24,
+                            "endLine": 107,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Trackback.java",
+                            "index": 22
+                          },
+                          "region": {
+                            "startLine": 108,
+                            "startColumn": 65,
+                            "endLine": 108,
+                            "endColumn": 70
+                          }
+                        },
+                        "message": {
+                          "text": "entry : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1018,
+                            "startColumn": 19,
+                            "endLine": 1018,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 1019,
+                            "startColumn": 16,
+                            "endLine": 1019,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 980,
+                            "startColumn": 19,
+                            "endLine": 980,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 990,
+                            "startColumn": 34,
+                            "endLine": 990,
+                            "endColumn": 38
+                          }
+                        },
+                        "message": {
+                          "text": "this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 904,
+                            "startColumn": 19,
+                            "endLine": 904,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 905,
+                            "startColumn": 23,
+                            "endLine": 905,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "this <.method> : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 274,
+                            "startColumn": 19,
+                            "endLine": 274,
+                            "endColumn": 29
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogEntry"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 275,
+                            "startColumn": 16,
+                            "endLine": 275,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "summary : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 905,
+                            "startColumn": 23,
+                            "endLine": 905,
+                            "endColumn": 35
+                          }
+                        },
+                        "message": {
+                          "text": "getSummary(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 943,
+                            "startColumn": 27,
+                            "endLine": 943,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 960,
+                            "startColumn": 59,
+                            "endLine": 960,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 65,
+                            "startColumn": 45,
+                            "endLine": 65,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 38,
+                            "endLine": 66,
+                            "endColumn": 41
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 41,
+                            "startColumn": 38,
+                            "endLine": 41,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 49,
+                            "startColumn": 19,
+                            "endLine": 49,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 49,
+                            "startColumn": 19,
+                            "endLine": 49,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "replaceFirst(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 52,
+                            "startColumn": 31,
+                            "endLine": 52,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 61,
+                            "startColumn": 41,
+                            "endLine": 61,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 62,
+                            "startColumn": 52,
+                            "endLine": 62,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 62,
+                            "startColumn": 30,
+                            "endLine": 62,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 68,
+                            "startColumn": 48,
+                            "endLine": 68,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "emailMatch : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 68,
+                            "startColumn": 48,
+                            "endLine": 68,
+                            "endColumn": 67
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 71,
+                            "startColumn": 36,
+                            "endLine": 71,
+                            "endColumn": 39
+                          }
+                        },
+                        "message": {
+                          "text": "dot"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "getRequestURL(...) : StringBuffer"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 99,
+                            "startColumn": 118,
+                            "endLine": 99,
+                            "endColumn": 135
+                          }
+                        },
+                        "message": {
+                          "text": "requestURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 116,
+                            "startColumn": 40,
+                            "endLine": 116,
+                            "endColumn": 47
+                          }
+                        },
+                        "message": {
+                          "text": "fullUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 137,
+                            "startColumn": 49,
+                            "endLine": 137,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 141,
+                            "startColumn": 16,
+                            "endLine": 141,
+                            "endColumn": 19
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 116,
+                            "startColumn": 20,
+                            "endLine": 116,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "removeTrailingSlash(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 16,
+                            "endLine": 88,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 34,
+                            "endLine": 66,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 69,
+                            "startColumn": 62,
+                            "endLine": 69,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "absPath : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 175,
+                            "startColumn": 46,
+                            "endLine": 175,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 176,
+                            "startColumn": 30,
+                            "endLine": 176,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 51,
+                            "startColumn": 27,
+                            "endLine": 51,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 195,
+                            "startColumn": 16,
+                            "endLine": 195,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 85,
+                            "startColumn": 30,
+                            "endLine": 85,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteContextURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 96,
+                            "startColumn": 32,
+                            "endLine": 101,
+                            "endColumn": 57
+                          }
+                        },
+                        "message": {
+                          "text": "... + ... : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 96,
+                            "startColumn": 17,
+                            "endLine": 96,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tempS [post update] : String[] [[]] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 106,
+                            "startColumn": 39,
+                            "endLine": 106,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "tempS : String[] [[]] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 42,
+                            "startColumn": 21,
+                            "endLine": 42,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "imageTags : String[] [[]] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 39,
+                            "endLine": 119,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "imageTags : String[] [[]] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 39,
+                            "endLine": 119,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "...[...] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 20,
+                            "endLine": 119,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "replaceAll(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 121,
+                            "startColumn": 16,
+                            "endLine": 121,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "text : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/PluginManagerImpl.java",
+                            "index": 31
+                          },
+                          "region": {
+                            "startLine": 102,
+                            "startColumn": 23,
+                            "endLine": 102,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "render(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/PluginManagerImpl.java",
+                            "index": 31
+                          },
+                          "region": {
+                            "startLine": 102,
+                            "startColumn": 48,
+                            "endLine": 102,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 65,
+                            "startColumn": 45,
+                            "endLine": 65,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 38,
+                            "endLine": 66,
+                            "endColumn": 41
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 41,
+                            "startColumn": 38,
+                            "endLine": 41,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 52,
+                            "startColumn": 31,
+                            "endLine": 52,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 61,
+                            "startColumn": 41,
+                            "endLine": 61,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 62,
+                            "startColumn": 52,
+                            "endLine": 62,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 62,
+                            "startColumn": 30,
+                            "endLine": 62,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 68,
+                            "startColumn": 26,
+                            "endLine": 68,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "emailMatch : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 68,
+                            "startColumn": 26,
+                            "endLine": 68,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 71,
+                            "startColumn": 36,
+                            "endLine": 71,
+                            "endColumn": 39
+                          }
+                        },
+                        "message": {
+                          "text": "dot"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 65
+                          }
+                        },
+                        "message": {
+                          "text": "getRequestURL(...) : StringBuffer"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 88,
+                            "startColumn": 42,
+                            "endLine": 88,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "toString(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 99,
+                            "startColumn": 118,
+                            "endLine": 99,
+                            "endColumn": 135
+                          }
+                        },
+                        "message": {
+                          "text": "requestURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 125,
+                            "startColumn": 19,
+                            "endLine": 125,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "fullUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 125,
+                            "startColumn": 19,
+                            "endLine": 125,
+                            "endColumn": 46
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 36,
+                            "endLine": 134,
+                            "endColumn": 39
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 137,
+                            "startColumn": 49,
+                            "endLine": 137,
+                            "endColumn": 59
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 139,
+                            "startColumn": 20,
+                            "endLine": 139,
+                            "endColumn": 23
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 139,
+                            "startColumn": 20,
+                            "endLine": 139,
+                            "endColumn": 54
+                          }
+                        },
+                        "message": {
+                          "text": "substring(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 134,
+                            "startColumn": 16,
+                            "endLine": 134,
+                            "endColumn": 40
+                          }
+                        },
+                        "message": {
+                          "text": "removeTrailingSlash(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 86,
+                            "startColumn": 16,
+                            "endLine": 88,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 34,
+                            "endLine": 66,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                            "index": 8
+                          },
+                          "region": {
+                            "startLine": 69,
+                            "startColumn": 62,
+                            "endLine": 69,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "absPath : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 175,
+                            "startColumn": 46,
+                            "endLine": 175,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 176,
+                            "startColumn": 30,
+                            "endLine": 176,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 51,
+                            "startColumn": 27,
+                            "endLine": 51,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/config/WebloggerRuntimeConfig.java",
+                            "index": 9
+                          },
+                          "region": {
+                            "startLine": 195,
+                            "startColumn": 16,
+                            "endLine": 195,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "absoluteContextURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 85,
+                            "startColumn": 30,
+                            "endLine": 85,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "getAbsoluteContextURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 96,
+                            "startColumn": 32,
+                            "endLine": 101,
+                            "endColumn": 57
+                          }
+                        },
+                        "message": {
+                          "text": "... + ... : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 96,
+                            "startColumn": 17,
+                            "endLine": 96,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "tempS [post update] : String[] [[]] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 106,
+                            "startColumn": 39,
+                            "endLine": 106,
+                            "endColumn": 44
+                          }
+                        },
+                        "message": {
+                          "text": "tempS : String[] [[]] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 42,
+                            "startColumn": 21,
+                            "endLine": 42,
+                            "endColumn": 30
+                          }
+                        },
+                        "message": {
+                          "text": "imageTags : String[] [[]] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 39,
+                            "endLine": 119,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "imageTags : String[] [[]] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 39,
+                            "endLine": 119,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "...[...] : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 119,
+                            "startColumn": 20,
+                            "endLine": 119,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "replaceAll(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/SmileysPlugin.java",
+                            "index": 30
+                          },
+                          "region": {
+                            "startLine": 121,
+                            "startColumn": 16,
+                            "endLine": 121,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "text : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 960,
+                            "startColumn": 35,
+                            "endLine": 960,
+                            "endColumn": 63
+                          }
+                        },
+                        "message": {
+                          "text": "render(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/pojos/WeblogEntry.java",
+                            "index": 14
+                          },
+                          "region": {
+                            "startLine": 960,
+                            "startColumn": 59,
+                            "endLine": 960,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "ret : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 65,
+                            "startColumn": 45,
+                            "endLine": 65,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/business/plugins/entry/ObfuscateEmailPlugin.java",
+                            "index": 23
+                          },
+                          "region": {
+                            "startLine": 66,
+                            "startColumn": 38,
+                            "endLine": 66,
+                            "endColumn": 41
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 41,
+                            "startColumn": 38,
+                            "endLine": 41,
+                            "endColumn": 48
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 49,
+                            "startColumn": 19,
+                            "endLine": 49,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 49,
+                            "startColumn": 19,
+                            "endLine": 49,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "replaceFirst(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 52,
+                            "startColumn": 31,
+                            "endLine": 52,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 61,
+                            "startColumn": 41,
+                            "endLine": 61,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 62,
+                            "startColumn": 52,
+                            "endLine": 62,
+                            "endColumn": 55
+                          }
+                        },
+                        "message": {
+                          "text": "str : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 62,
+                            "startColumn": 30,
+                            "endLine": 62,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "matcher(...) : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 68,
+                            "startColumn": 48,
+                            "endLine": 68,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "emailMatch : Matcher"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 68,
+                            "startColumn": 48,
+                            "endLine": 68,
+                            "endColumn": 67
+                          }
+                        },
+                        "message": {
+                          "text": "group(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/util/RegexUtil.java",
+                            "index": 20
+                          },
+                          "region": {
+                            "startLine": 71,
+                            "startColumn": 36,
+                            "endLine": 71,
+                            "endColumn": 39
+                          }
+                        },
+                        "message": {
+                          "text": "dot"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 75,
+                  "startColumn": 25,
+                  "endLine": 75,
+                  "endColumn": 30
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            },
+            {
+              "id": 2,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/core/filters/InitFilter.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 88,
+                  "startColumn": 42,
+                  "endLine": 88,
+                  "endColumn": 65
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/39",
+            "github/alertNumber": 39
+          }
+        },
+        {
+          "ruleId": "java/regex-injection",
+          "rule": {
+            "id": "java/regex-injection",
+            "index": 41,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "level": "error",
+          "message": {
+            "text": "This regular expression is constructed from a [user-provided value](1)."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/util/Bannedwordslist.java",
+                  "index": 32
+                },
+                "region": {
+                  "startLine": 438,
+                  "startColumn": 48,
+                  "endLine": 438,
+                  "endColumn": 53
+                }
+              }
+            }
+          ],
+          "correlationGuid": "d8bfdf72-6bfc-410e-8a9f-acdb38e8d713",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "41fca1ccdb5c516f:1"
+          },
+          "codeFlows": [
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/WeblogConfig.java",
+                            "index": 33
+                          },
+                          "region": {
+                            "startLine": 55,
+                            "startColumn": 30,
+                            "endLine": 55,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "bean : WeblogConfigBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/WeblogConfig.java",
+                            "index": 33
+                          },
+                          "region": {
+                            "startLine": 204,
+                            "startColumn": 16,
+                            "endLine": 204,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "bean : WeblogConfigBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/WeblogConfig.java",
+                            "index": 33
+                          },
+                          "region": {
+                            "startLine": 195,
+                            "startColumn": 47,
+                            "endLine": 195,
+                            "endColumn": 56
+                          }
+                        },
+                        "message": {
+                          "text": "getBean(...) : WeblogConfigBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/WeblogConfigBean.java",
+                            "index": 34
+                          },
+                          "region": {
+                            "startLine": 101,
+                            "startColumn": 19,
+                            "endLine": 101,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : WeblogConfigBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/WeblogConfigBean.java",
+                            "index": 34
+                          },
+                          "region": {
+                            "startLine": 102,
+                            "startColumn": 16,
+                            "endLine": 102,
+                            "endColumn": 36
+                          }
+                        },
+                        "message": {
+                          "text": "this.bannedwordslist : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/WeblogConfig.java",
+                            "index": 33
+                          },
+                          "region": {
+                            "startLine": 195,
+                            "startColumn": 47,
+                            "endLine": 195,
+                            "endColumn": 77
+                          }
+                        },
+                        "message": {
+                          "text": "getBannedwordslist(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Bannedwordslist.java",
+                            "index": 32
+                          },
+                          "region": {
+                            "startLine": 427,
+                            "startColumn": 9,
+                            "endLine": 427,
+                            "endColumn": 31
+                          }
+                        },
+                        "message": {
+                          "text": "bannedwordslist : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Bannedwordslist.java",
+                            "index": 32
+                          },
+                          "region": {
+                            "startLine": 431,
+                            "startColumn": 53,
+                            "endLine": 431,
+                            "endColumn": 83
+                          }
+                        },
+                        "message": {
+                          "text": "... + ... : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Bannedwordslist.java",
+                            "index": 32
+                          },
+                          "region": {
+                            "startLine": 431,
+                            "startColumn": 33,
+                            "endLine": 431,
+                            "endColumn": 90
+                          }
+                        },
+                        "message": {
+                          "text": "new StringTokenizer(...) : StringTokenizer"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Bannedwordslist.java",
+                            "index": 32
+                          },
+                          "region": {
+                            "startLine": 433,
+                            "startColumn": 28,
+                            "endLine": 433,
+                            "endColumn": 33
+                          }
+                        },
+                        "message": {
+                          "text": "toker : StringTokenizer"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Bannedwordslist.java",
+                            "index": 32
+                          },
+                          "region": {
+                            "startLine": 433,
+                            "startColumn": 28,
+                            "endLine": 433,
+                            "endColumn": 45
+                          }
+                        },
+                        "message": {
+                          "text": "nextToken(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Bannedwordslist.java",
+                            "index": 32
+                          },
+                          "region": {
+                            "startLine": 433,
+                            "startColumn": 28,
+                            "endLine": 433,
+                            "endColumn": 52
+                          }
+                        },
+                        "message": {
+                          "text": "trim(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/Bannedwordslist.java",
+                            "index": 32
+                          },
+                          "region": {
+                            "startLine": 438,
+                            "startColumn": 48,
+                            "endLine": 438,
+                            "endColumn": 53
+                          }
+                        },
+                        "message": {
+                          "text": "token"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/WeblogConfig.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 55,
+                  "startColumn": 30,
+                  "endLine": 55,
+                  "endColumn": 34
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/40",
+            "github/alertNumber": 40
+          }
+        },
+        {
+          "ruleId": "java/ssrf",
+          "rule": {
+            "id": "java/ssrf",
+            "index": 47,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "level": "error",
+          "message": {
+            "text": "Potential server-side request forgery due to a [user-provided value](1)."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/planet/business/fetcher/RomeFeedFetcher.java",
+                  "index": 35
+                },
+                "region": {
+                  "startLine": 230,
+                  "startColumn": 57,
+                  "endLine": 230,
+                  "endColumn": 72
+                }
+              }
+            }
+          ],
+          "correlationGuid": "9d0ad640-089c-4ee1-b3ed-dfbe72c4e5b1",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "248fddc681a75a01:1"
+          },
+          "codeFlows": [
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/planet/ui/PlanetGroupSubs.java",
+                            "index": 36
+                          },
+                          "region": {
+                            "startLine": 49,
+                            "startColumn": 20,
+                            "endLine": 49,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "subUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/planet/ui/PlanetGroupSubs.java",
+                            "index": 36
+                          },
+                          "region": {
+                            "startLine": 313,
+                            "startColumn": 16,
+                            "endLine": 313,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "subUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/planet/ui/PlanetGroupSubs.java",
+                            "index": 36
+                          },
+                          "region": {
+                            "startLine": 188,
+                            "startColumn": 53,
+                            "endLine": 188,
+                            "endColumn": 64
+                          }
+                        },
+                        "message": {
+                          "text": "getSubUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/planet/business/fetcher/RomeFeedFetcher.java",
+                            "index": 35
+                          },
+                          "region": {
+                            "startLine": 74,
+                            "startColumn": 43,
+                            "endLine": 74,
+                            "endColumn": 57
+                          }
+                        },
+                        "message": {
+                          "text": "feedURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/planet/business/fetcher/RomeFeedFetcher.java",
+                            "index": 35
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 34,
+                            "endLine": 75,
+                            "endColumn": 41
+                          }
+                        },
+                        "message": {
+                          "text": "feedURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/planet/business/fetcher/RomeFeedFetcher.java",
+                            "index": 35
+                          },
+                          "region": {
+                            "startLine": 83,
+                            "startColumn": 43,
+                            "endLine": 83,
+                            "endColumn": 57
+                          }
+                        },
+                        "message": {
+                          "text": "feedURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/planet/business/fetcher/RomeFeedFetcher.java",
+                            "index": 35
+                          },
+                          "region": {
+                            "startLine": 93,
+                            "startColumn": 30,
+                            "endLine": 93,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "feedURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/planet/business/fetcher/RomeFeedFetcher.java",
+                            "index": 35
+                          },
+                          "region": {
+                            "startLine": 228,
+                            "startColumn": 32,
+                            "endLine": 228,
+                            "endColumn": 42
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/planet/business/fetcher/RomeFeedFetcher.java",
+                            "index": 35
+                          },
+                          "region": {
+                            "startLine": 230,
+                            "startColumn": 68,
+                            "endLine": 230,
+                            "endColumn": 71
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/planet/business/fetcher/RomeFeedFetcher.java",
+                            "index": 35
+                          },
+                          "region": {
+                            "startLine": 230,
+                            "startColumn": 57,
+                            "endLine": 230,
+                            "endColumn": 72
+                          }
+                        },
+                        "message": {
+                          "text": "create(...)"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            },
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/planet/ui/PlanetGroupSubs.java",
+                            "index": 36
+                          },
+                          "region": {
+                            "startLine": 49,
+                            "startColumn": 20,
+                            "endLine": 49,
+                            "endColumn": 26
+                          }
+                        },
+                        "message": {
+                          "text": "subUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/planet/ui/PlanetGroupSubs.java",
+                            "index": 36
+                          },
+                          "region": {
+                            "startLine": 313,
+                            "startColumn": 16,
+                            "endLine": 313,
+                            "endColumn": 22
+                          }
+                        },
+                        "message": {
+                          "text": "subUrl : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/planet/ui/PlanetGroupSubs.java",
+                            "index": 36
+                          },
+                          "region": {
+                            "startLine": 188,
+                            "startColumn": 53,
+                            "endLine": 188,
+                            "endColumn": 64
+                          }
+                        },
+                        "message": {
+                          "text": "getSubUrl(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/planet/business/fetcher/RomeFeedFetcher.java",
+                            "index": 35
+                          },
+                          "region": {
+                            "startLine": 74,
+                            "startColumn": 43,
+                            "endLine": 74,
+                            "endColumn": 57
+                          }
+                        },
+                        "message": {
+                          "text": "feedURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/planet/business/fetcher/RomeFeedFetcher.java",
+                            "index": 35
+                          },
+                          "region": {
+                            "startLine": 75,
+                            "startColumn": 34,
+                            "endLine": 75,
+                            "endColumn": 41
+                          }
+                        },
+                        "message": {
+                          "text": "feedURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/planet/business/WebloggerRomeFeedFetcher.java",
+                            "index": 37
+                          },
+                          "region": {
+                            "startLine": 63,
+                            "startColumn": 43,
+                            "endLine": 63,
+                            "endColumn": 57
+                          }
+                        },
+                        "message": {
+                          "text": "feedURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/planet/business/WebloggerRomeFeedFetcher.java",
+                            "index": 37
+                          },
+                          "region": {
+                            "startLine": 74,
+                            "startColumn": 44,
+                            "endLine": 74,
+                            "endColumn": 51
+                          }
+                        },
+                        "message": {
+                          "text": "feedURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/planet/business/fetcher/RomeFeedFetcher.java",
+                            "index": 35
+                          },
+                          "region": {
+                            "startLine": 83,
+                            "startColumn": 43,
+                            "endLine": 83,
+                            "endColumn": 57
+                          }
+                        },
+                        "message": {
+                          "text": "feedURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/planet/business/fetcher/RomeFeedFetcher.java",
+                            "index": 35
+                          },
+                          "region": {
+                            "startLine": 93,
+                            "startColumn": 30,
+                            "endLine": 93,
+                            "endColumn": 37
+                          }
+                        },
+                        "message": {
+                          "text": "feedURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/planet/business/fetcher/RomeFeedFetcher.java",
+                            "index": 35
+                          },
+                          "region": {
+                            "startLine": 228,
+                            "startColumn": 32,
+                            "endLine": 228,
+                            "endColumn": 42
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/planet/business/fetcher/RomeFeedFetcher.java",
+                            "index": 35
+                          },
+                          "region": {
+                            "startLine": 230,
+                            "startColumn": 68,
+                            "endLine": 230,
+                            "endColumn": 71
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/planet/business/fetcher/RomeFeedFetcher.java",
+                            "index": 35
+                          },
+                          "region": {
+                            "startLine": 230,
+                            "startColumn": 57,
+                            "endLine": 230,
+                            "endColumn": 72
+                          }
+                        },
+                        "message": {
+                          "text": "create(...)"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/planet/ui/PlanetGroupSubs.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 49,
+                  "startColumn": 20,
+                  "endLine": 49,
+                  "endColumn": 26
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/41",
+            "github/alertNumber": 41
+          }
+        },
+        {
+          "ruleId": "java/ssrf",
+          "rule": {
+            "id": "java/ssrf",
+            "index": 47,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "level": "error",
+          "message": {
+            "text": "Potential server-side request forgery due to a [user-provided value](1)."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/util/MediacastUtil.java",
+                  "index": 38
+                },
+                "region": {
+                  "startLine": 57,
+                  "startColumn": 57,
+                  "endLine": 57,
+                  "endColumn": 69
+                }
+              }
+            }
+          ],
+          "correlationGuid": "839215e6-bef4-4426-97bf-80d3555da65d",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "c240ab2d5b41ea5f:1"
+          },
+          "codeFlows": [
+            {
+              "threadFlows": [
+                {
+                  "locations": [
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 72,
+                            "startColumn": 23,
+                            "endLine": 72,
+                            "endColumn": 27
+                          }
+                        },
+                        "message": {
+                          "text": "bean : EntryBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 315,
+                            "startColumn": 16,
+                            "endLine": 315,
+                            "endColumn": 20
+                          }
+                        },
+                        "message": {
+                          "text": "bean : EntryBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 231,
+                            "startColumn": 49,
+                            "endLine": 231,
+                            "endColumn": 58
+                          }
+                        },
+                        "message": {
+                          "text": "getBean(...) : EntryBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryBean.java",
+                            "index": 39
+                          },
+                          "region": {
+                            "startLine": 223,
+                            "startColumn": 19,
+                            "endLine": 223,
+                            "endColumn": 34
+                          }
+                        },
+                        "message": {
+                          "text": "parameter this : EntryBean"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryBean.java",
+                            "index": 39
+                          },
+                          "region": {
+                            "startLine": 224,
+                            "startColumn": 16,
+                            "endLine": 224,
+                            "endColumn": 28
+                          }
+                        },
+                        "message": {
+                          "text": "enclosureURL : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                            "index": 21
+                          },
+                          "region": {
+                            "startLine": 231,
+                            "startColumn": 49,
+                            "endLine": 231,
+                            "endColumn": 76
+                          }
+                        },
+                        "message": {
+                          "text": "getEnclosureURL(...) : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/MediacastUtil.java",
+                            "index": 38
+                          },
+                          "region": {
+                            "startLine": 48,
+                            "startColumn": 52,
+                            "endLine": 48,
+                            "endColumn": 62
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/MediacastUtil.java",
+                            "index": 38
+                          },
+                          "region": {
+                            "startLine": 57,
+                            "startColumn": 65,
+                            "endLine": 57,
+                            "endColumn": 68
+                          }
+                        },
+                        "message": {
+                          "text": "url : String"
+                        }
+                      }
+                    },
+                    {
+                      "location": {
+                        "physicalLocation": {
+                          "artifactLocation": {
+                            "uri": "app/src/main/java/org/apache/roller/weblogger/util/MediacastUtil.java",
+                            "index": 38
+                          },
+                          "region": {
+                            "startLine": 57,
+                            "startColumn": 57,
+                            "endLine": 57,
+                            "endColumn": 69
+                          }
+                        },
+                        "message": {
+                          "text": "new URL(...)"
+                        }
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ],
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/EntryEdit.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 72,
+                  "startColumn": 23,
+                  "endLine": 72,
+                  "endColumn": 27
+                }
+              },
+              "message": {
+                "text": "user-provided value"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/42",
+            "github/alertNumber": 42
+          }
+        },
+        {
+          "ruleId": "java/error-message-exposure",
+          "rule": {
+            "id": "java/error-message-exposure",
+            "index": 13,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "level": "error",
+          "message": {
+            "text": "[Error information](1) can be exposed to an external user."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/rendering/servlets/TrackbackServlet.java",
+                  "index": 40
+                },
+                "region": {
+                  "startLine": 147,
+                  "startColumn": 24,
+                  "endLine": 147,
+                  "endColumn": 52
+                }
+              }
+            }
+          ],
+          "correlationGuid": "d722e768-31a0-417b-9b87-847c29a58084",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "7c1f69188f18e239:1"
+          },
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/rendering/servlets/TrackbackServlet.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 142,
+                  "startColumn": 25,
+                  "endLine": 142,
+                  "endColumn": 39
+                }
+              },
+              "message": {
+                "text": "Error information"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/43",
+            "github/alertNumber": 43
+          }
+        },
+        {
+          "ruleId": "java/error-message-exposure",
+          "rule": {
+            "id": "java/error-message-exposure",
+            "index": 13,
+            "toolComponent": {
+              "index": 0
+            }
+          },
+          "level": "error",
+          "message": {
+            "text": "[Error information](1) can be exposed to an external user.\n[Error information](2) can be exposed to an external user."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/rendering/servlets/TrackbackServlet.java",
+                  "index": 40
+                },
+                "region": {
+                  "startLine": 221,
+                  "startColumn": 24,
+                  "endLine": 221,
+                  "endColumn": 52
+                }
+              }
+            }
+          ],
+          "correlationGuid": "4df5ee6f-b915-488c-ba43-35a70984f360",
+          "partialFingerprints": {
+            "primaryLocationLineHash": "517a7a49b664a801:1"
+          },
+          "relatedLocations": [
+            {
+              "id": 1,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/rendering/servlets/TrackbackServlet.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 142,
+                  "startColumn": 25,
+                  "endLine": 142,
+                  "endColumn": 39
+                }
+              },
+              "message": {
+                "text": "Error information"
+              }
+            },
+            {
+              "id": 2,
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "app/src/main/java/org/apache/roller/weblogger/ui/rendering/servlets/TrackbackServlet.java",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 214,
+                  "startColumn": 21,
+                  "endLine": 214,
+                  "endColumn": 35
+                }
+              },
+              "message": {
+                "text": "Error information"
+              }
+            }
+          ],
+          "properties": {
+            "github/alertUrl": "https://api.github.com/repos/hintwatermelon/roller/code-scanning/alerts/44",
+            "github/alertNumber": 44
+          }
+        }
+      ],
+      "automationDetails": {
+        "id": ".github/workflows/codeql-analysis.yml:analyze/language:java/"
+      },
+      "properties": {
+        "codeqlConfigSummary": {}
+      }
+    }
+  ]
+}
diff --git a/framework/codemodder-base/src/main/java/io/codemodder/remediation/headerinjection/BaseHeaderInjectionFixStrategy.java b/framework/codemodder-base/src/main/java/io/codemodder/remediation/headerinjection/BaseHeaderInjectionFixStrategy.java
new file mode 100644
index 000000000..7f8b472ab
--- /dev/null
+++ b/framework/codemodder-base/src/main/java/io/codemodder/remediation/headerinjection/BaseHeaderInjectionFixStrategy.java
@@ -0,0 +1,86 @@
+package io.codemodder.remediation.headerinjection;
+
+import static io.codemodder.javaparser.JavaParserTransformer.wrap;
+
+import com.github.javaparser.StaticJavaParser;
+import com.github.javaparser.ast.NodeList;
+import com.github.javaparser.ast.body.ClassOrInterfaceDeclaration;
+import com.github.javaparser.ast.body.MethodDeclaration;
+import com.github.javaparser.ast.expr.Expression;
+import com.github.javaparser.ast.expr.MethodCallExpr;
+import com.github.javaparser.ast.expr.StringLiteralExpr;
+import io.codemodder.remediation.RemediationStrategy;
+import io.codemodder.remediation.SuccessOrReason;
+import java.util.Optional;
+import java.util.Set;
+
+/** Base class for header injection fix strategies. */
+abstract class BaseHeaderInjectionFixStrategy implements RemediationStrategy {
+
+  protected BaseHeaderInjectionFixStrategy() {}
+
+  private static final String validatorMethodName = "stripNewlines";
+
+  private static final String fixMethodCode =
+      """
+                          private static String stripNewlines(final String s) {
+                            return s.replaceAll("[\\n\\r]", "");
+                          }
+                          """;
+
+  protected static final Set setHeaderNames = Set.of("setHeader", "addHeader");
+
+  /**
+   * Fix the header injection issue.
+   *
+   * @param setHeaderCall the method call to fix
+   * @param headerValueArgument the argument to fix
+   * @return success or reason
+   */
+  protected SuccessOrReason fix(
+      final MethodCallExpr setHeaderCall, final Expression headerValueArgument) {
+    Optional maybeParentClass =
+        setHeaderCall.findAncestor(ClassOrInterfaceDeclaration.class);
+    if (maybeParentClass.isEmpty()) {
+      return SuccessOrReason.reason("Could not find parent class");
+    }
+    var parentClass = maybeParentClass.get();
+
+    // add the validation method if it's not already present
+    if (parentClass.isInterface()) {
+      MethodCallExpr inlinedStripCall =
+          new MethodCallExpr(
+              headerValueArgument,
+              "replaceAll",
+              NodeList.nodeList(new StringLiteralExpr("[\\n\\r]"), new StringLiteralExpr("")));
+      setHeaderCall.getArguments().set(1, inlinedStripCall);
+    } else {
+      wrap(headerValueArgument).withScopelessMethod(validatorMethodName);
+      boolean alreadyHasResourceValidationCallPresent =
+          isAlreadyHasResourceValidationCallPresent(parentClass);
+      if (!alreadyHasResourceValidationCallPresent) {
+        addValidationCall(parentClass);
+      }
+    }
+    return SuccessOrReason.success();
+  }
+
+  private static boolean isAlreadyHasResourceValidationCallPresent(
+      final ClassOrInterfaceDeclaration parentClass) {
+    return parentClass.findAll(MethodDeclaration.class).stream()
+        .anyMatch(
+            md ->
+                md.getNameAsString().equals(validatorMethodName)
+                    && md.getParameters().size() == 1
+                    && md.getParameters().get(0).getTypeAsString().equals("String"));
+  }
+
+  private static void addValidationCall(final ClassOrInterfaceDeclaration parentClass) {
+    // one might be tempted to cache this result, but then it will be a shared resource with
+    // shared CST metadata and cause bugs
+    MethodDeclaration fixMethod = StaticJavaParser.parseMethodDeclaration(fixMethodCode);
+
+    // add the method to the class
+    parentClass.addMember(fixMethod);
+  }
+}
diff --git a/framework/codemodder-base/src/main/java/io/codemodder/remediation/headerinjection/HeaderInjectionFixMethodArgumentStrategy.java b/framework/codemodder-base/src/main/java/io/codemodder/remediation/headerinjection/HeaderInjectionFixMethodArgumentStrategy.java
new file mode 100644
index 000000000..f63d652bb
--- /dev/null
+++ b/framework/codemodder-base/src/main/java/io/codemodder/remediation/headerinjection/HeaderInjectionFixMethodArgumentStrategy.java
@@ -0,0 +1,33 @@
+package io.codemodder.remediation.headerinjection;
+
+import com.github.javaparser.ast.CompilationUnit;
+import com.github.javaparser.ast.Node;
+import com.github.javaparser.ast.expr.Expression;
+import com.github.javaparser.ast.expr.MethodCallExpr;
+import com.github.javaparser.ast.expr.StringLiteralExpr;
+import io.codemodder.ast.ASTs;
+import io.codemodder.remediation.SuccessOrReason;
+import java.util.Optional;
+
+/** Harden when the location points to a method call argument. */
+final class HeaderInjectionFixMethodArgumentStrategy extends BaseHeaderInjectionFixStrategy {
+
+  static boolean matchMethodArgument(final Node node) {
+    return node instanceof Expression expression
+        && ASTs.isArgumentOfMethodCall(expression)
+            .filter(call -> call.hasScope() && setHeaderNames.contains(call.getNameAsString()))
+            .filter(call -> call.getArguments().size() == 2)
+            .filter(call -> !(call.getArgument(1) instanceof StringLiteralExpr))
+            .filter(call -> call.getArgument(1) == node)
+            .isPresent();
+  }
+
+  @Override
+  public SuccessOrReason fix(final CompilationUnit cu, final Node node) {
+    // have all the guarantees this is what we expect from the matcher call above
+    Expression expression = (Expression) node;
+    Optional maybeMethodCall = ASTs.isArgumentOfMethodCall(expression);
+    MethodCallExpr setHeaderCall = maybeMethodCall.get();
+    return fix(setHeaderCall, setHeaderCall.getArgument(1));
+  }
+}
diff --git a/framework/codemodder-base/src/main/java/io/codemodder/remediation/headerinjection/HeaderInjectionFixMethodCallStrategy.java b/framework/codemodder-base/src/main/java/io/codemodder/remediation/headerinjection/HeaderInjectionFixMethodCallStrategy.java
new file mode 100644
index 000000000..a1d84687e
--- /dev/null
+++ b/framework/codemodder-base/src/main/java/io/codemodder/remediation/headerinjection/HeaderInjectionFixMethodCallStrategy.java
@@ -0,0 +1,25 @@
+package io.codemodder.remediation.headerinjection;
+
+import com.github.javaparser.ast.CompilationUnit;
+import com.github.javaparser.ast.Node;
+import com.github.javaparser.ast.expr.MethodCallExpr;
+import com.github.javaparser.ast.expr.StringLiteralExpr;
+import io.codemodder.remediation.*;
+
+/** Harden when the location points to a method call itself. */
+final class HeaderInjectionFixMethodCallStrategy extends BaseHeaderInjectionFixStrategy {
+
+  static boolean matchMethodCall(final Node node) {
+    return node instanceof MethodCallExpr call
+        && call.hasScope()
+        && setHeaderNames.contains(call.getNameAsString())
+        && call.getArguments().size() == 2
+        && !(call.getArgument(1) instanceof StringLiteralExpr);
+  }
+
+  @Override
+  public SuccessOrReason fix(final CompilationUnit cu, final Node node) {
+    MethodCallExpr methodCall = (MethodCallExpr) node;
+    return fix(methodCall, methodCall.getArgument(1));
+  }
+}
diff --git a/framework/codemodder-base/src/main/java/io/codemodder/remediation/headerinjection/HeaderInjectionFixStrategy.java b/framework/codemodder-base/src/main/java/io/codemodder/remediation/headerinjection/HeaderInjectionFixStrategy.java
deleted file mode 100644
index 52c45d441..000000000
--- a/framework/codemodder-base/src/main/java/io/codemodder/remediation/headerinjection/HeaderInjectionFixStrategy.java
+++ /dev/null
@@ -1,75 +0,0 @@
-package io.codemodder.remediation.headerinjection;
-
-import static io.codemodder.javaparser.JavaParserTransformer.wrap;
-
-import com.github.javaparser.StaticJavaParser;
-import com.github.javaparser.ast.CompilationUnit;
-import com.github.javaparser.ast.Node;
-import com.github.javaparser.ast.NodeList;
-import com.github.javaparser.ast.body.ClassOrInterfaceDeclaration;
-import com.github.javaparser.ast.body.MethodDeclaration;
-import com.github.javaparser.ast.expr.Expression;
-import com.github.javaparser.ast.expr.MethodCallExpr;
-import com.github.javaparser.ast.expr.StringLiteralExpr;
-import io.codemodder.remediation.*;
-import java.util.Optional;
-
-/** Default strategy to harden header injection vulnerabilities. */
-public final class HeaderInjectionFixStrategy implements RemediationStrategy {
-
-  private static final String validatorMethodName = "stripNewlines";
-
-  private static final String fixMethodCode =
-      """
-                    private static String stripNewlines(final String s) {
-                      return s.replaceAll("[\\n\\r]", "");
-                    }
-                    """;
-
-  @Override
-  public SuccessOrReason fix(final CompilationUnit cu, final Node node) {
-    var maybeMethodCall =
-        Optional.of(node).map(n -> n instanceof MethodCallExpr ? (MethodCallExpr) n : null);
-    if (maybeMethodCall.isEmpty()) {
-      return SuccessOrReason.reason("Not a method call");
-    }
-    MethodCallExpr setHeaderCall = maybeMethodCall.get();
-    Expression headerValueArgument = setHeaderCall.getArgument(1);
-    wrap(headerValueArgument).withScopelessMethod(validatorMethodName);
-
-    Optional maybeParentClass =
-        setHeaderCall.findAncestor(ClassOrInterfaceDeclaration.class);
-    if (maybeParentClass.isEmpty()) {
-      return SuccessOrReason.reason("Could not find parent class");
-    }
-    var parentClass = maybeParentClass.get();
-
-    // add the validation method if it's not already present
-    if (parentClass.isInterface()) {
-      MethodCallExpr inlinedStripCall =
-          new MethodCallExpr(
-              headerValueArgument,
-              "replaceAll",
-              NodeList.nodeList(new StringLiteralExpr("[\\n\\r]"), new StringLiteralExpr("")));
-      setHeaderCall.getArguments().set(1, inlinedStripCall);
-    } else {
-      boolean alreadyHasResourceValidationCallPresent =
-          parentClass.findAll(MethodDeclaration.class).stream()
-              .anyMatch(
-                  md ->
-                      md.getNameAsString().equals(validatorMethodName)
-                          && md.getParameters().size() == 1
-                          && md.getParameters().get(0).getTypeAsString().equals("String"));
-
-      if (!alreadyHasResourceValidationCallPresent) {
-        // one might be tempted to cache this result, but then it will be a shared resource with
-        // shared CST metadata and cause bugs
-        MethodDeclaration fixMethod = StaticJavaParser.parseMethodDeclaration(fixMethodCode);
-
-        // add the method to the class
-        parentClass.addMember(fixMethod);
-      }
-    }
-    return SuccessOrReason.success();
-  }
-}
diff --git a/framework/codemodder-base/src/main/java/io/codemodder/remediation/headerinjection/HeaderInjectionRemediator.java b/framework/codemodder-base/src/main/java/io/codemodder/remediation/headerinjection/HeaderInjectionRemediator.java
index 5d0b6d8f4..702d9da0b 100644
--- a/framework/codemodder-base/src/main/java/io/codemodder/remediation/headerinjection/HeaderInjectionRemediator.java
+++ b/framework/codemodder-base/src/main/java/io/codemodder/remediation/headerinjection/HeaderInjectionRemediator.java
@@ -1,9 +1,6 @@
 package io.codemodder.remediation.headerinjection;
 
 import com.github.javaparser.ast.CompilationUnit;
-import com.github.javaparser.ast.Node;
-import com.github.javaparser.ast.expr.MethodCallExpr;
-import com.github.javaparser.ast.expr.StringLiteralExpr;
 import io.codemodder.CodemodFileScanningResult;
 import io.codemodder.codetf.DetectorRule;
 import io.codemodder.remediation.*;
@@ -19,24 +16,19 @@ public final class HeaderInjectionRemediator implements Remediator {
 
   private final SearcherStrategyRemediator searchStrategyRemediator;
 
-  private static final Set setHeaderNames = Set.of("setHeader", "addHeader");
-
   public HeaderInjectionRemediator() {
     this.searchStrategyRemediator =
         new SearcherStrategyRemediator.Builder()
             .withSearcherStrategyPair(
                 new FixCandidateSearcher.Builder()
-                    .withMatcher(
-                        node ->
-                            Optional.of(node)
-                                .map(n -> n instanceof MethodCallExpr ? (MethodCallExpr) n : null)
-                                .filter(Node::hasScope)
-                                .filter(mce -> setHeaderNames.contains(mce.getNameAsString()))
-                                .filter(mce -> mce.getArguments().size() == 2)
-                                .filter(mce -> !(mce.getArgument(1) instanceof StringLiteralExpr))
-                                .isPresent())
+                    .withMatcher(HeaderInjectionFixMethodCallStrategy::matchMethodCall)
+                    .build(),
+                new HeaderInjectionFixMethodCallStrategy())
+            .withSearcherStrategyPair(
+                new FixCandidateSearcher.Builder()
+                    .withMatcher(HeaderInjectionFixMethodArgumentStrategy::matchMethodArgument)
                     .build(),
-                new HeaderInjectionFixStrategy())
+                new HeaderInjectionFixMethodArgumentStrategy())
             .build();
   }
 
diff --git a/framework/codemodder-base/src/test/java/io/codemodder/remediation/headerinjection/DefaultHeaderInjectionRemediatorTest.java b/framework/codemodder-base/src/test/java/io/codemodder/remediation/headerinjection/HeaderInjectionRemediatorTest.java
similarity index 99%
rename from framework/codemodder-base/src/test/java/io/codemodder/remediation/headerinjection/DefaultHeaderInjectionRemediatorTest.java
rename to framework/codemodder-base/src/test/java/io/codemodder/remediation/headerinjection/HeaderInjectionRemediatorTest.java
index 7d0a0381f..c62051e3d 100644
--- a/framework/codemodder-base/src/test/java/io/codemodder/remediation/headerinjection/DefaultHeaderInjectionRemediatorTest.java
+++ b/framework/codemodder-base/src/test/java/io/codemodder/remediation/headerinjection/HeaderInjectionRemediatorTest.java
@@ -20,7 +20,7 @@
 import org.junit.jupiter.params.provider.Arguments;
 import org.junit.jupiter.params.provider.MethodSource;
 
-final class DefaultHeaderInjectionRemediatorTest {
+final class HeaderInjectionRemediatorTest {
 
   private HeaderInjectionRemediator remediator;
   private DetectorRule rule;