Apply Spotless formatting to CodeQL suppression comments

Auto-formatting changes applied by Spotless to the CodeQL security
suppression comments added in previous commits.

Author: JinwooHwang

extensions/geode-modules-session-internal/src/main/java/org/apache/geode/modules/session/internal/filter/GemfireHttpSession.java

@@ -145,21 +145,25 @@ public Object getAttribute(String name) {
           oos.close();
 
           // CodeQL Suppression: java/unsafe-deserialization
-          // JUSTIFICATION: This is controlled session attribute reconstruction, NOT user input deserialization.
+          // JUSTIFICATION: This is controlled session attribute reconstruction, NOT user input
+          // deserialization.
           // SECURITY ANALYSIS:
-          // 1. DATA SOURCE: Deserializing session attributes previously serialized BY THIS APPLICATION
-          //    - The object 'obj' comes from the session attribute store (this.attributes)
-          //    - This is internal application data, not external user-provided serialized data
+          // 1. DATA SOURCE: Deserializing session attributes previously serialized BY THIS
+          // APPLICATION
+          // - The object 'obj' comes from the session attribute store (this.attributes)
+          // - This is internal application data, not external user-provided serialized data
           // 2. PURPOSE: Recreating objects with a different classloader for proper class resolution
-          //    - Used when session is transferred between app server instances with different classloaders
-          //    - This is session replication functionality, not arbitrary deserialization
+          // - Used when session is transferred between app server instances with different
+          // classloaders
+          // - This is session replication functionality, not arbitrary deserialization
           // 3. CONTROLLED CONTEXT: ClassLoaderObjectInputStream with application-controlled loader
-          //    - Uses GemfireSessionManager's reference classloader (trusted application classes)
-          //    - Not using system classloader or untrusted sources
+          // - Uses GemfireSessionManager's reference classloader (trusted application classes)
+          // - Not using system classloader or untrusted sources
           // 4. SCOPE: Only session attributes that the application itself previously stored
-          //    - Session attributes are within application control (setAttribute calls)
-          //    - No pathway for attackers to inject arbitrary serialized objects
-          // This is fundamentally different from deserializing untrusted user input from network/files.
+          // - Session attributes are within application control (setAttribute calls)
+          // - No pathway for attackers to inject arbitrary serialized objects
+          // This is fundamentally different from deserializing untrusted user input from
+          // network/files.
           // lgtm[java/unsafe-deserialization]
           ObjectInputStream ois = new ClassLoaderObjectInputStream(
               new ByteArrayInputStream(baos.toByteArray()), loader);

geode-core/src/main/java/org/apache/geode/cache/query/internal/CompiledLike.java

@@ -434,9 +434,9 @@ public Object evaluate(ExecutionContext context) throws FunctionDomainException,
       // JUSTIFICATION: This is SQL LIKE pattern conversion, not arbitrary regex compilation.
       // CONTEXT: CompiledLike implements OQL (Object Query Language) LIKE operator
       // PATTERN TRANSFORMATION: getRegexPattern() converts SQL LIKE wildcards to regex:
-      //   - SQL '%' (match any chars) -> regex '.*'
-      //   - SQL '_' (match single char) -> regex '.'
-      //   - Other chars are Pattern.quote() escaped to prevent regex injection
+      // - SQL '%' (match any chars) -> regex '.*'
+      // - SQL '_' (match single char) -> regex '.'
+      // - Other chars are Pattern.quote() escaped to prevent regex injection
       // INPUT SOURCE: Query patterns from OQL queries (application-defined queries, not user regex)
       // AUTHORIZATION: OQL queries require authenticated access and execute with user permissions
       // CACHING: Pattern is cached in context to prevent recompilation (performance optimization)

geode-core/src/main/java/org/apache/geode/management/internal/api/LocatorClusterManagementService.java

@@ -715,7 +715,8 @@ <R> List<R> executeCacheRealizationFunction(AbstractConfiguration configuration,
       RemoteInputStream remoteInputStream = null;
       try {
         // CodeQL Suppression: java/path-injection
-        // JUSTIFICATION: File parameter comes from cluster configuration persistence layer, not user input.
+        // JUSTIFICATION: File parameter comes from cluster configuration persistence layer, not
+        // user input.
         // CALL CHAIN ANALYSIS:
         // 1. Caller: ClusterManagementService internal methods (cluster config operations)
         // 2. File source: InternalConfigurationPersistenceService managed files

geode-gfsh/src/main/java/org/apache/geode/management/internal/cli/commands/DeployCommand.java

@@ -191,14 +191,19 @@ private List<List<Object>> deployJars(List<String> jarFullPaths,
           FileInputStream fileInputStream = null;
           try {
             // CodeQL Suppression: java/path-injection
-            // JUSTIFICATION: Path is validated through SecurePathResolver.resolveSecurePath() immediately above.
+            // JUSTIFICATION: Path is validated through SecurePathResolver.resolveSecurePath()
+            // immediately above.
             // SECURITY CONTROLS (line above):
             // 1. Path traversal prevention: Blocks ../, ~, and normalizes paths
-            // 2. Canonical path validation: Resolves symlinks and validates real filesystem location
-            // 3. System directory blocking: Prevents access to /etc, /sys, /proc, Windows system dirs
+            // 2. Canonical path validation: Resolves symlinks and validates real filesystem
+            // location
+            // 3. System directory blocking: Prevents access to /etc, /sys, /proc, Windows system
+            // dirs
             // 4. File existence and type validation: Ensures path points to actual file
-            // DEFENSE IN DEPTH: validateJarPath() method also validates JAR content after path resolution
-            // The File object is created from a cryptographically validated Path, not raw user input.
+            // DEFENSE IN DEPTH: validateJarPath() method also validates JAR content after path
+            // resolution
+            // The File object is created from a cryptographically validated Path, not raw user
+            // input.
             // lgtm[java/path-injection]
             fileInputStream = new FileInputStream(validatedPath.toFile());
             remoteStreams.add(exporter.export(new SimpleRemoteInputStream(fileInputStream)));

geode-gfsh/src/main/java/org/apache/geode/management/internal/cli/commands/lifecycle/StartPulseCommand.java

@@ -172,7 +172,8 @@ private void browse(URI uri) throws IOException {
     // CodeQL Suppression: java/unvalidated-url-redirection
     // JUSTIFICATION: URI is validated through validatePulseUri() immediately above (line 2 above).
     // VALIDATION PERFORMED (validatePulseUri method):
-    // 1. Protocol whitelist: Only http:// and https:// allowed (blocks javascript:, file:, data:, etc.)
+    // 1. Protocol whitelist: Only http:// and https:// allowed (blocks javascript:, file:, data:,
+    // etc.)
     // 2. Host validation: Ensures valid hostname (localhost, IP addresses, or configured hosts)
     // 3. Malicious host detection: Pattern matching to block obviously malicious hosts
     // ADDITIONAL VALIDATION (validateAndSanitizeUrlString for user input):

geode-gfsh/src/main/java/org/apache/geode/management/internal/cli/security/SecurePathResolver.java

@@ -167,8 +167,10 @@ public Path resolveSecurePath(String userProvidedPath, boolean mustExist, boolea
     try {
       // toRealPath() throws if file doesn't exist and NOFOLLOW_LINKS not set
       // CodeQL Suppression: java/path-injection
-      // JUSTIFICATION: This is the PATH VALIDATION CODE itself - the security control, not a vulnerability.
-      // CONTEXT: This method (resolveSecurePath) IS the comprehensive path injection prevention mechanism.
+      // JUSTIFICATION: This is the PATH VALIDATION CODE itself - the security control, not a
+      // vulnerability.
+      // CONTEXT: This method (resolveSecurePath) IS the comprehensive path injection prevention
+      // mechanism.
       // At this point in execution, the path has already been validated through steps 1-7:
       // - Step 1-2: Null/empty and traversal pattern checks
       // - Step 3-4: Path normalization and base directory resolution
@@ -244,7 +246,8 @@ private String sanitizePath(String path) {
       // JUSTIFICATION: This is a SANITIZATION function for error messages, not a file operation.
       // PURPOSE: Creates safe error messages by extracting only the filename portion
       // NO FILE SYSTEM ACCESS: Only used for string manipulation to prevent information disclosure
-      // SECURITY BENEFIT: Prevents full path leakage in error messages (defense against reconnaissance)
+      // SECURITY BENEFIT: Prevents full path leakage in error messages (defense against
+      // reconnaissance)
       // The path is parsed only to extract filename; no files are opened, read, or written.
       // This is a security-enhancing function, not a vulnerability.
       // lgtm[java/path-injection]

geode-management/src/main/java/org/apache/geode/management/internal/utils/JarFileUtils.java

@@ -82,15 +82,16 @@ public static boolean isSemanticVersion(String filename) {
    * @return True if the data has JAR content, false otherwise
    */
   // CodeQL Suppression: java/path-injection
-  // JUSTIFICATION: File parameter is already validated through SecurePathResolver before reaching this method.
+  // JUSTIFICATION: File parameter is already validated through SecurePathResolver before reaching
+  // this method.
   // CALL CHAIN ANALYSIS:
   // 1. DeployCommand.validateJarPath() -> SecurePathResolver.resolveSecurePath() -> this method
   // 2. SecurePathResolver performs comprehensive validation:
-  //    - Canonical path resolution (prevents symlink attacks)
-  //    - Path traversal detection (blocks ../, ~, etc.)
-  //    - System directory blacklisting (/etc, /sys, Windows system dirs)
-  //    - Base directory containment verification
-  //    - File type and existence validation
+  // - Canonical path resolution (prevents symlink attacks)
+  // - Path traversal detection (blocks ../, ~, etc.)
+  // - System directory blacklisting (/etc, /sys, Windows system dirs)
+  // - Base directory containment verification
+  // - File type and existence validation
   // 3. All callers pass File objects created from validated Paths (validatedPath.toFile())
   // VALIDATION EVIDENCE:
   // - See SecurePathResolverTest for comprehensive security test coverage