fix: issue 5452 - ConcurrentModificationException in NodePackageAnalyzer.processDependencies - adding synchronized block

[dabal]

Fixes Issue

#5452 - ConcurrentModificationException in NodePackageAnalyzer.processDependencies

Description of Change

Surrounding merging dependency code in synchronized block. I was facing the issue when I had multiple json files added - by /tmp/*/package-lock.json. Most of them contains the same set of dependencies. I've noticed that this issue doesn't exist when I change the number of threads in org/owasp/dependencycheck/Engine.java:811 to 1. This would mean that this is ordinary concurrency issue. I've checked if it occurs if I add the synchronized to the org.owasp.dependencycheck.analyzer.DependencyMergingAnalyzer#mergeDependencies but the issue was still there. And I've noticed that the when one thread is throwing this exeption, the other one is trying to do org.owasp.dependencycheck.Engine#removeDependency.

This is why I've added the synchronized block to thos part of the method

 synchronized (this) {
                    final Dependency existing = findDependency(engine, name, version);
                    if (existing != null) {
                        if (existing.isVirtual()) {
                            DependencyMergingAnalyzer.mergeDependencies(child, existing, null);
                            engine.removeDependency(existing);
                            engine.addDependency(child);
                        } else {
                            DependencyBundlingAnalyzer.mergeDependencies(existing, child, null);
                        }
                    } else {
                        engine.addDependency(child);
                    }
                }

After this I don't see anymore the ConcurrentModificationException

Have test cases been added to cover the new functionality?

no

[jeremylong]

LGTM

[jeremylong]

Thank you for the PR!

[dabal]

Thank you for the PR!

You are welcome:). Do I have to do anything more to get this merged? And I have a question about the time frame - when you would like to release the 9.0.10?

[jeremylong]

Again - thank you for the PR. I will try to release 9.0.10 within a week. I've been tied up with a lot of other non-OSS projects lately.