Skip to content

Comments

fix: Make AntTaskHolder thread-safe using ThreadLocal#8311

Merged
jeremylong merged 3 commits intoscratch/upgrade-loggersfrom
copilot/sub-pr-8306-again
Feb 18, 2026
Merged

fix: Make AntTaskHolder thread-safe using ThreadLocal#8311
jeremylong merged 3 commits intoscratch/upgrade-loggersfrom
copilot/sub-pr-8306-again

Conversation

Copy link

Copilot AI commented Feb 17, 2026
edited
Loading

Description of Change

AntTaskHolder used a static volatile field to store the current Ant Task, causing race conditions when Ant runs tasks in parallel. Each thread would overwrite the shared task reference, routing logs to the wrong task.

Changes:

  • Replaced static volatile Task with ThreadLocal<Task> for per-thread task isolation
  • Added remove() method to prevent memory leaks in thread pool environments
  • Updated Purge.execute() to call remove() in finally block for cleanup
// Before: shared across all threads
private static volatile Task task;

// After: isolated per thread
private static final ThreadLocal<Task> task = new ThreadLocal<>();

Related issues

Addresses feedback from #8306 (review comment 2817763511)

Have test cases been added to cover the new functionality?

no - existing behavior preserved, thread-safety is an implementation detail

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

Copilot AI mentioned this pull request Feb 17, 2026
Draft
Copilot AI and others added 2 commits February 17, 2026 15:57
@jeremylong
fix: Use ThreadLocal for thread-safe task storage in AntTaskHolder
6ca3d9c 
Co-authored-by: jeremylong <862914+jeremylong@users.noreply.github.com>
@jeremylong
fix: Add ThreadLocal cleanup to prevent memory leaks
ea50cec 
Co-authored-by: jeremylong <862914+jeremylong@users.noreply.github.com>
@boring-cyborg boring-cyborg bot added the ant changes to ant label Feb 17, 2026
Copy link
Author

Copilot AI commented Feb 17, 2026

Just as a heads up, I was blocked by some firewall rules while working on your feedback. Expand below for details.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • checkstyle.org
    • Triggering command: /opt/hostedtoolcache/CodeQL/2.24.1/x64/codeql/tools/linux64/java/bin/java /opt/hostedtoolcache/CodeQL/2.24.1/x64/codeql/tools/linux64/java/bin/java -jar /opt/hostedtoolcache/CodeQL/2.24.1/x64/codeql/xml/tools/xml-extractor.jar --fileList=/home/REDACTED/work/DependencyCheck/.codeql-scratch/dbs/java/working/files-to-index561848194598852457.list --sourceArchiveDir=/home/REDACTED/work/DependencyCheck/.codeql-scratch/dbs/java/src --outputDir=/home/REDACTED/work/DependencyCheck/.codeql-scratch/dbs/java/trap/java /main/java/org/owasp/dependencycheck/ant/logging/AntTaskHolder.java ndor/bin/git (dns block)
  • dependency-check.github.io
    • Triggering command: /usr/lib/jvm/temurin-17-jdk-amd64/bin/java /usr/lib/jvm/temurin-17-jdk-amd64/bin/java --enable-native-access=ALL-UNNAMED -classpath /usr/share/apache-maven-3.9.12/boot/plexus-classworlds-2.9.0.jar -Dclassworlds.conf=/usr/share/apache-maven-3.9.12/bin/m2.conf -Dmaven.home=/usr/share/apache-maven-3.9.12 -Dlibrary.jansi.path=/usr/share/apache-maven-3.9.12/lib/jansi-native -Dmaven.multiModuleProjectDirectory=/home/REDACTED/work/DependencyCheck/DependencyCheck org.codehaus.plexus.classworlds.launcher.Launcher clean compile -pl ant -am (dns block)
    • Triggering command: /usr/lib/jvm/temurin-17-jdk-amd64/bin/java /usr/lib/jvm/temurin-17-jdk-amd64/bin/java --enable-native-access=ALL-UNNAMED -classpath /usr/share/apache-maven-3.9.12/boot/plexus-classworlds-2.9.0.jar -Dclassworlds.conf=/usr/share/apache-maven-3.9.12/bin/m2.conf -Dmaven.home=/usr/share/apache-maven-3.9.12 -Dlibrary.jansi.path=/usr/share/apache-maven-3.9.12/lib/jansi-native -Dmaven.multiModuleProjectDirectory=/home/REDACTED/work/DependencyCheck/DependencyCheck org.codehaus.plexus.classworlds.launcher.Launcher clean install -pl core,ant -am -DskipTests -Dmaven.test.skip=true -Ddownload-maven-plugin.skip=true (dns block)
    • Triggering command: /usr/lib/jvm/temurin-17-jdk-amd64/bin/java /usr/lib/jvm/temurin-17-jdk-amd64/bin/java --enable-native-access=ALL-UNNAMED -classpath /usr/share/apache-maven-3.9.12/boot/plexus-classworlds-2.9.0.jar -Dclassworlds.conf=/usr/share/apache-maven-3.9.12/bin/m2.conf -Dmaven.home=/usr/share/apache-maven-3.9.12 -Dlibrary.jansi.path=/usr/share/apache-maven-3.9.12/lib/jansi-native -Dmaven.multiModuleProjectDirectory=/home/REDACTED/work/DependencyCheck/DependencyCheck org.codehaus.plexus.classworlds.launcher.Launcher clean install -pl core,ant -am -DskipTests -Dmaven.test.skip=true -Ddownload-maven-plugin.skip=true -Dio.github.download-maven-plugin:download-maven-plugin:2.1.0:wget.skip=true (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

Copilot AI changed the title [WIP] Address feedback on dependency upgrade for slf4j and logback fix: Make AntTaskHolder thread-safe using ThreadLocal Feb 17, 2026
Copilot AI requested a review from jeremylong February 17, 2026 16:01
@jeremylong jeremylong marked this pull request as ready for review February 18, 2026 12:54
@jeremylong jeremylong merged commit e7d7fe5 into scratch/upgrade-loggers Feb 18, 2026
16 checks passed
@jeremylong jeremylong deleted the copilot/sub-pr-8306-again branch February 18, 2026 12:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@jeremylong jeremylong jeremylong approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@jeremylong jeremylong

Copilot code review Copilot

Labels

ant changes to ant

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jeremylong