Update owasp-webgoat.md

Author: felickz

code-scanning-guides/synthetic-applications/owasp-webgoat.md

@@ -14,7 +14,6 @@ This is due to the following:
 3. Dependencies are not all present in Dependency Graph
     - Using [Submission API](https://docs.github.com/en/enterprise-cloud@latest/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api#using-pre-made-actions)    
 4. Vulnerabilities not detected. 
-    1. Local sources not detected
-        - The default threat model includes remote sources of untrusted data.  Use a CodeQL custom configuration file to [expand the threat model to include local sources](https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#extending-codeql-coverage-with-threat-models)https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#extending-codeql-coverage-with-threat-models: `threat-models: local`
-    2. For a lower precision scan that may include elevated false positive rates, use a custom configuration file that pulls in additional expirmental, low precision, and community packs/queries.
+    - Enhance CodeQL to use a custom configuration file that broadens the threat model and pulls in additional expirmental, low precision, and community packs/queries. Note that this may include alerts with elevated false positive rates due to lower precision.
         - See: [Synthetics.yml](https://github.com/GitHubSecurityLab/CodeQL-Community-Packs/tree/main/configs#synthetics)
+        - The default threat model includes remote sources of untrusted data.  This config will also [expand the threat model to include local sources](https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#extending-codeql-coverage-with-threat-models): `threat-models: local`