There are multiple places in RTGov that uses constant string as a lock object rtgov/modules/activity-analysis/reports/src/main/java/org/overlord/rtgov/reports/ReportManagerAccessor.java: private static final String SYNC=new String("sync"); rtgov/modules/activity-management/activity/src/main/java/org/overlord/rtgov/activity/validator/ActivityValidatorManagerAccessor.java: private static final String SYNC=new String("sync"); rtgov/modules/activity-management/activity/src/main/java/org/overlord/rtgov/activity/processor/InformationProcessorManagerAccessor.java: private static final String SYNC=new String("sync"); rtgov/modules/activity-management/activity/src/main/java/org/overlord/rtgov/activity/collector/ActivityCollectorAccessor.java: private static final String SYNC=new String("sync"); rtgov/modules/event-processor-network/epn-core/src/main/java/org/overlord/rtgov/epn/EPNManagerAccessor.java: private static final String SYNC=new String("sync"); rtgov/modules/active-queries/active-collection/src/main/java/org/overlord/rtgov/active/collection/ActiveCollectionManagerAccessor.java: private static final String SYNC=new String("sync"); This is an antipattern and can lead to unpredictable behaviour as the String constant acts as a global JVM lock https://www.securecoding.cert.org/confluence/display/java/LCK01-J.+Do+not+synchronize+on+objects+that+may+be+reused
These are not string constants, they are string instances. If you look on the referenced page under "Compliant Solution (String Instance)" you will find they are ok.
Right, under these conditions I am lowering the severity to low - refer to the sentence -- Nevertheless, a better approach is to synchronize on a private final lock object, as shown in the following compliant solution. --
Verified in ER2
Gary Brown <gary> updated the status of jira RTGOV-242 to Closed