Describe the bug
We sometimes run into a ConcurrentModificationException when using the Node Audit Analyzer. I have looked a bit in the code and think I might know why the problem occurs. We have multiple package.json files in our project that are probably scanned in parallel. In AbstractNpmAnalyzer.java:509 the vulnerabilities for a dependency are fetched and iterated. The collection itself is immutable, but the underlying collection can be changed via dependency.(add|remove)Vulnerability. This could possibly happen due to the parallel scans of the other package.json files. Would it be an option to use an iterator instead of the for loop in AbstractNpmAnalyzer.java:509? This would take changes on the underlying collection into account while iterating.
Version of dependency-check used
We use the latest dependency-check/Dependency-Check_Action GitHub Action. Currently, this means we are using the CLI version 8.3.1.
Log file
[WARN] An unexpected error occurred during analysis of '/github/workspace/{...}/package-lock.json' (Node Audit Analyzer): null
Error:
java.util.ConcurrentModificationException: null
at java.base/java.util.HashMap$HashIterator.nextNode(HashMap.java:1597)
at java.base/java.util.HashMap$KeyIterator.next(HashMap.java:1620)
at java.base/java.util.Collections$UnmodifiableCollection$1.next(Collections.java:1054)
at org.owasp.dependencycheck.analyzer.AbstractNpmAnalyzer.replaceOrAddVulnerability(AbstractNpmAnalyzer.java:509)
at org.owasp.dependencycheck.analyzer.AbstractNpmAnalyzer.processResults(AbstractNpmAnalyzer.java:495)
at org.owasp.dependencycheck.analyzer.NodeAuditAnalyzer.analyzeDependency(NodeAuditAnalyzer.java:151)
at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze(AbstractAnalyzer.java:131)
at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:88)
at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:37)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
at java.base/java.lang.Thread.run(Thread.java:833)
To Reproduce
The issue occurs sometimes when running the Node Audit analyzer on our project with multiple package.json files.
Expected behavior
The error should not occur 🙂
Describe the bug
We sometimes run into a ConcurrentModificationException when using the Node Audit Analyzer. I have looked a bit in the code and think I might know why the problem occurs. We have multiple package.json files in our project that are probably scanned in parallel. In AbstractNpmAnalyzer.java:509 the vulnerabilities for a dependency are fetched and iterated. The collection itself is immutable, but the underlying collection can be changed via dependency.(add|remove)Vulnerability. This could possibly happen due to the parallel scans of the other package.json files. Would it be an option to use an iterator instead of the for loop in AbstractNpmAnalyzer.java:509? This would take changes on the underlying collection into account while iterating.
Version of dependency-check used
We use the latest dependency-check/Dependency-Check_Action GitHub Action. Currently, this means we are using the CLI version 8.3.1.
Log file
[WARN] An unexpected error occurred during analysis of '/github/workspace/{...}/package-lock.json' (Node Audit Analyzer): null
Error:
java.util.ConcurrentModificationException: null
at java.base/java.util.HashMap$HashIterator.nextNode(HashMap.java:1597)
at java.base/java.util.HashMap$KeyIterator.next(HashMap.java:1620)
at java.base/java.util.Collections$UnmodifiableCollection$1.next(Collections.java:1054)
at org.owasp.dependencycheck.analyzer.AbstractNpmAnalyzer.replaceOrAddVulnerability(AbstractNpmAnalyzer.java:509)
at org.owasp.dependencycheck.analyzer.AbstractNpmAnalyzer.processResults(AbstractNpmAnalyzer.java:495)
at org.owasp.dependencycheck.analyzer.NodeAuditAnalyzer.analyzeDependency(NodeAuditAnalyzer.java:151)
at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze(AbstractAnalyzer.java:131)
at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:88)
at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:37)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
at java.base/java.lang.Thread.run(Thread.java:833)
To Reproduce
The issue occurs sometimes when running the Node Audit analyzer on our project with multiple package.json files.
Expected behavior
The error should not occur 🙂