fix: issue 5452 - ConcurrentModificationException in NodePackageAnalyzer.processDependencies - adding synchronized block #6501
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes Issue
#5452 - ConcurrentModificationException in NodePackageAnalyzer.processDependencies
Description of Change
Surrounding merging dependency code in synchronized block. I was facing the issue when I had multiple json files added - by
/tmp/*/package-lock.json
. Most of them contains the same set of dependencies. I've noticed that this issue doesn't exist when I change the number of threads inorg/owasp/dependencycheck/Engine.java:811
to 1. This would mean that this is ordinary concurrency issue. I've checked if it occurs if I add the synchronized to theorg.owasp.dependencycheck.analyzer.DependencyMergingAnalyzer#mergeDependencies
but the issue was still there. And I've noticed that the when one thread is throwing this exeption, the other one is trying to doorg.owasp.dependencycheck.Engine#removeDependency
.This is why I've added the synchronized block to thos part of the method
After this I don't see anymore the ConcurrentModificationException
Have test cases been added to cover the new functionality?
no