Update UnsafeDeserialization.qhelp

Move the table under <recommendation>, minor fixes.

Author: atorralba

java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.qhelp

@@ -28,37 +28,20 @@ for example JSON or XML.  However, these formats should not be deserialized
 into complex objects because this provides further opportunities for attack.
 For example, XML-based deserialization attacks
 are possible through libraries such as XStream and XmlDecoder.
-
+</p>
+<p>
 Alternatively, a tightly controlled whitelist can limit the vulnerability of code, but be aware
 of the existence of so-called Bypass Gadgets, which can circumvent such
 protection measures.
 </p>
-</recommendation>
-
-<example>
 <p>
-The following example calls <code>readObject</code> directly on an
-<code>ObjectInputStream</code> that is constructed from untrusted data, and is
-therefore inherently unsafe.
+Fixes by framework:
 </p>
-<sample src="UnsafeDeserializationBad.java" />
-
-<p>
-Rewriting the communication protocol to only rely on reading primitive types
-from the input stream removes the vulnerability.
-</p>
-<sample src="UnsafeDeserializationGood.java" />
-
-</example>
-
-<p>
-
-Fixes by framework
 <table>
     <tbody>
         <tr>
             <th>Project</th>
-            <th>Maven Cordinates</th>
+            <th>Maven Coordinates</th>
             <th>Secure by Default</th>
             <th>Fix</th>
         </tr>
@@ -72,18 +55,18 @@ Fixes by framework
             <td>ObjectInputStream</td>
             <td>Java Standard Library</td>
             <td>No</td>
-            <td>Leverage a validating input stream like <code>org.apache.commons.io.serialization.ValidatingObjectInputStream</code></td>
+            <td>Leverage a validating input stream like <code>org.apache.commons.io.serialization.ValidatingObjectInputStream</code>.</td>
         </tr>
             <tr>
             <td>FastJson</td>
             <td>com.alibaba:fastjson</td>
             <td>Partially</td>
-            <td>Call <code>com.alibaba.fastjson.parser.ParserConfig#setSafeMode</code> with the argument <code>true</code></td>
+            <td>Call <code>com.alibaba.fastjson.parser.ParserConfig#setSafeMode</code> with the argument <code>true</code>.</td>
         </tr>
         <tr>
             <td>SnakeYAML</td>
             <td>org.yaml:snakeyaml</td>
-            <td><a href="https://bitbucket.org/snakeyaml/snakeyaml/wiki/CVE%20&amp;%20NIST.md">No</a>. <a href="https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in">Maintainer response</a>.</td>
+            <td><a href="https://bitbucket.org/snakeyaml/snakeyaml/wiki/CVE%20&amp;%20NIST.md">No</a> (<a href="https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in">maintainer response</a>)</td>
             <td>Instantiate the <code>org.yaml.snakeyaml.Yaml</code> instance explicitly with an instance of <code>org.yaml.snakeyaml.constructor.SafeConstructor</code> as an argument.</td>
         </tr>
         <tr>
@@ -98,11 +81,28 @@ Fixes by framework
         <tr>
             <td>Kryo</td>
             <td>com.esotericsoftware:kryo and com.esotericsoftware:kryo5</td>
-            <td>com.esotericsoftware:kryo versions including &amp; after 5.0.0 Yes; com.esotericsoftware:kryo5 Yes</td>
+            <td>com.esotericsoftware:kryo >= 5.0.0 and com.esotericsoftware:kryo5 Yes</td>
             <td>Don't call <code>com.esotericsoftware.kryo(5).Kryo#setRegistrationRequired</code> with the argument <code>false</code>.</td>
         </tr>
     </tbody>
 </table>
+</recommendation>
+
+<example>
+<p>
+The following example calls <code>readObject</code> directly on an
+<code>ObjectInputStream</code> that is constructed from untrusted data, and is
+therefore inherently unsafe.
+</p>
+<sample src="UnsafeDeserializationBad.java" />
+
+<p>
+Rewriting the communication protocol to only rely on reading primitive types
+from the input stream removes the vulnerability.
+</p>
+<sample src="UnsafeDeserializationGood.java" />
+
+</example>
 
 <references>