Add missing substitution description

Author: smowton

java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstHeader.ql

@@ -69,4 +69,4 @@ class NonConstantTimeComparisonConfig extends TaintTracking::Configuration {
 from DataFlow::PathNode source, DataFlow::PathNode sink, NonConstantTimeComparisonConfig conf
 where conf.hasFlowPath(source, sink)
 select sink.getNode(), source, sink, "Possible timing attack against $@ validation.",
-  source.getNode()
+  source.getNode(), "client-supplied token"