When JeSS scans a file it first produces an AST. JeSS then searches this AST for problematic code structures using the visitor pattern. A visitor is passed to the root of the AST and it searches for the signature of security bugs. Each security bug is scanned for using a separate visitor. This structure allows JeSS to be easily extended, to scan for new security bugs simply introduce a new visitor of the appropriate type.