CodeQL : Uncontrolled data used in path expression. Security check
As we can see the line which is causing the CodeQL fail is 187 which is as below
but the "directory" by an given by the caller which the class has not control over.
if we see a sample of test cases usage of the AttachmentDeserializer.ATTACHMENT_DIRECTORY
we can see System.getProperty("java.io.tmpdir") which is on linux
/tmp and by applying the rule, it will end up with tmp
and the issue is reported there