gnodet commented on PR #1902: URL: https://github.com/apache/maven-resolver/pull/1902#issuecomment-4642046402
## Remaining Findings Analysis (F-05, F-23, F-28, F-34) The 4 findings not addressed in this PR were analyzed in detail against the actual source code: | Finding | Severity | Verdict | Rationale | |---------|----------|---------|-----------| | F-05 | HIGH | **SKIP — False positive** | `Lock.unlock()` dual-path logic (holders + waiters removal) under a single monitor already prevents phantom locks. The `thenRun` callback only writes to sockets — it cannot re-add a context to any holders list. | | F-23 | MEDIUM | **SKIP — Benign race** | Redundant idempotent OPTIONS requests at worst. The `volatile Boolean` ensures visibility. Synchronizing around an HTTP round-trip would be worse — serializing concurrent PUTs behind network I/O. | | F-28 | LOW | **DEFER** | Valid list aliasing through DataPool cache, but intentional for memory optimization. A 2-line defensive copy fix exists if wanted, but no known bug reports and existing transformers already partially defend against it. | | F-34 | LOW | **SKIP — Not a bug** | Universal filesystem TOCTOU inherent to all Java NIO. Same `createDirectories` + `newOutputStream` pattern used in 4+ places in the codebase. Standard idiomatic Java. | Full analysis: see `resolver-remaining-findings-analysis.md` in the audit artifacts. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
