https://github.com/semgrep/semgrep-rules/blob/develop/java/lang/security/audit/xss/jsp/no-scriptlets.jsp

no-scriptlets.jsp contains a webshell, and Microsoft Defender gets angry about that. This is of course not really a bug in the semgrep rules, but still mildly annoying when working on these rules.

Perhaps a better alternative would be something like https://github.com/nirmaldhara/Jsp-hello-world/blob/master/WebContent/index.jsp, which also contains various variations on <% syntax.