diff --git a/java/ql/test/query-tests/security/CWE-501/TrustBoundaryViolations.java b/java/ql/test/query-tests/security/CWE-501/TrustBoundaryViolations.java
index 1934e7f5598..f81da8ac8cf 100644
--- a/java/ql/test/query-tests/security/CWE-501/TrustBoundaryViolations.java
+++ b/java/ql/test/query-tests/security/CWE-501/TrustBoundaryViolations.java
@@ -32,7 +32,7 @@ public class TrustBoundaryViolations extends HttpServlet {
         } catch (Exception e) {
         }
 
-        // GOOD: Bean Validation @Pattern annotation constrains the input via regex.
+        // GOOD: A direct String.matches(...) regex check constrains the input before it is written to the session.
         String input4 = request.getParameter("input4");
         if (input4.matches("[a-zA-Z0-9]+")) {
             request.getSession().setAttribute("input4", input4);