diff --git a/java/ql/src/Security/CWE/CWE-338/JHipsterGeneratedPRNG.qhelp b/java/ql/src/Security/CWE/CWE-338/JHipsterGeneratedPRNG.qhelp
index 075e18ad50f..ba7192567bd 100644
--- a/java/ql/src/Security/CWE/CWE-338/JHipsterGeneratedPRNG.qhelp
+++ b/java/ql/src/Security/CWE/CWE-338/JHipsterGeneratedPRNG.qhelp
@@ -16,7 +16,7 @@ Using this information, they can create a reset link that allows them to take ov
 
 <example>
 
-<p>The example below shows the vulnerable <code>RandomUtil</code> class generated by JHipster.</p>
+<p>The example below shows the vulnerable <code>RandomUtil</code> class generated by <a href="https://www.jhipster.tech/2019/09/13/jhipster-release-6.3.0.html">JHipster prior to version 6.3.0</a>.</p>
 <sample src="JHipsterGeneratedPRNGVulnerable.java" />
 
 <p>Below is a fixed version of the <code>RandomUtil</code> class.</p>
diff --git a/java/ql/src/Security/CWE/CWE-338/JHipsterGeneratedPRNGFixed.java b/java/ql/src/Security/CWE/CWE-338/JHipsterGeneratedPRNGFixed.java
index 42cf387806a..02ef4e4a3fe 100644
--- a/java/ql/src/Security/CWE/CWE-338/JHipsterGeneratedPRNGFixed.java
+++ b/java/ql/src/Security/CWE/CWE-338/JHipsterGeneratedPRNGFixed.java
@@ -6,7 +6,7 @@ import java.security.SecureRandom;
  * Utility class for generating random Strings.
  */
 public final class RandomUtil {
-    private static final SecureRandom SECURE_RANDOM = new SecureRandom();
+    private static final SecureRandom SECURE_RANDOM = new SecureRandom(); // GOOD: Using SecureRandom
 
     private static final int DEF_COUNT = 20;
 
@@ -18,6 +18,7 @@ public final class RandomUtil {
     }
 
     private static String generateRandomAlphanumericString() {
+        // GOOD: Passing Secure Random to RandomStringUtils::random
         return RandomStringUtils.random(DEF_COUNT, 0, 0, true, true, null, SECURE_RANDOM);
     }
 
diff --git a/java/ql/src/Security/CWE/CWE-338/JHipsterGeneratedPRNGVulnerable.java b/java/ql/src/Security/CWE/CWE-338/JHipsterGeneratedPRNGVulnerable.java
index d1a7f4cd924..0532a8a9d3c 100644
--- a/java/ql/src/Security/CWE/CWE-338/JHipsterGeneratedPRNGVulnerable.java
+++ b/java/ql/src/Security/CWE/CWE-338/JHipsterGeneratedPRNGVulnerable.java
@@ -16,7 +16,7 @@ public final class RandomUtil {
      * @return the generated password.
      */
     public static String generatePassword() {
-        return RandomStringUtils.randomAlphanumeric(DEF_COUNT);
+        return RandomStringUtils.randomAlphanumeric(DEF_COUNT); // BAD: RandomStringUtils oes not use SecureRandom
     }
 
     /**
@@ -25,7 +25,7 @@ public final class RandomUtil {
      * @return the generated activation key.
      */
     public static String generateActivationKey() {
-        return RandomStringUtils.randomNumeric(DEF_COUNT);
+        return RandomStringUtils.randomNumeric(DEF_COUNT); // BAD: RandomStringUtils oes not use SecureRandom
     }
 
     /**
@@ -34,7 +34,7 @@ public final class RandomUtil {
      * @return the generated reset key.
      */
     public static String generateResetKey() {
-        return RandomStringUtils.randomNumeric(DEF_COUNT);
+        return RandomStringUtils.randomNumeric(DEF_COUNT); // BAD: RandomStringUtils oes not use SecureRandom
     }
 
     /**
@@ -44,7 +44,7 @@ public final class RandomUtil {
      * @return the generated series data.
      */
     public static String generateSeriesData() {
-        return RandomStringUtils.randomAlphanumeric(DEF_COUNT);
+        return RandomStringUtils.randomAlphanumeric(DEF_COUNT); // BAD: RandomStringUtils oes not use SecureRandom
     }
 
     /**
@@ -53,6 +53,6 @@ public final class RandomUtil {
      * @return the generated token data.
      */
     public static String generateTokenData() {
-        return RandomStringUtils.randomAlphanumeric(DEF_COUNT);
+        return RandomStringUtils.randomAlphanumeric(DEF_COUNT); // BAD: RandomStringUtils oes not use SecureRandom
     }
 }