fix(compliance): ConcurrentDictionary.AddOrUpdate unsafe for in-place EvidenceRecord mutation in NISTComplianceService

[github-actions]

Summary

ConcurrentDictionary.AddOrUpdate executes its updateValueFactory delegate outside the dictionary's internal locks and may invoke it multiple times under contention. Concurrent calls to SubmitReviewAsync with the same evidence ID therefore mutate an EvidenceRecord field-by-field without synchronization, resulting in a record with a mixed review state.

Affected file

src/BusinessApplications/NISTCompliance/Services/NISTComplianceService.cs — line 233

Required fix

Replace the unsafe in-place mutation with an immutable update (create a new record value) or use a proper lock/Interlocked mechanism:

_evidenceRecords.AddOrUpdate(
    evidenceId,
    _ => CreateNewRecord(review),
    (_, existing) => existing with { ReviewedBy = review.ReviewedBy, Status = review.Status, ReviewedAt = review.ReviewedAt }
);

References

• PR Phase 16: Remaining widgets, role-based UI, frontend tests #361 review: Phase 16: Remaining widgets, role-based UI, frontend tests #361 (comment)
• Severity: 🔴 Critical

[blocksorg]

Mention Blocks like a regular teammate with your question or request:

@blocks can you add technical details to this issue?
@blocks make the following changes ...
@blocks create an issue from what was mentioned in the following comment ...
@blocks explain the following code ...
@blocks are there any security or performance concerns?

Run @blocks /help for more information.

Workspace settings | Disable this message