The columnName argument to searchAssets in org.opennms.web.asset.AssetModel is inserted into an SQL
query without any checking, allowing SQL injection attacks.
An attempt to fix it was made in revision 3893, but was commented-out in revision 4042 because it didn't
allow some of the existing uses of searchAssets.
I stumbled back upon this while searching for something else, and I'm adding this bug so I don't forget.