ConcurrentModificationException in AbstractNpmAnalyzer.replaceOrAddVulnerability

[eballetbaz]

The issue #3862 re-occurs with release 6.5.3 (it is working with 6.5.2)

=> dependency-check-maven:6.5.3:aggregate (default-cli)

[WARNING] An unexpected error occurred during analysis of '/work/jenkins/workspace/xxx/package-lock.json' (Node Audit Analyzer): null
[ERROR]
java.util.ConcurrentModificationException
at java.util.HashMap$HashIterator.nextNode (HashMap.java:1469)
at java.util.HashMap$KeyIterator.next (HashMap.java:1493)
at java.util.Collections$UnmodifiableCollection$1.next (Collections.java:1044)
at org.owasp.dependencycheck.analyzer.AbstractNpmAnalyzer.replaceOrAddVulnerability (AbstractNpmAnalyzer.java:495)
at org.owasp.dependencycheck.analyzer.AbstractNpmAnalyzer.processResults (AbstractNpmAnalyzer.java:481)
at org.owasp.dependencycheck.analyzer.NodeAuditAnalyzer.analyzeDependency (NodeAuditAnalyzer.java:151)
at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze (AbstractAnalyzer.java:131)
at org.owasp.dependencycheck.AnalysisTask.call (AnalysisTask.java:88)
at org.owasp.dependencycheck.AnalysisTask.call (AnalysisTask.java:37)
at java.util.concurrent.FutureTask.run (FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker (ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run (ThreadPoolExecutor.java:624)
at java.lang.Thread.run (Thread.java:748)
[INFO] Finished Node Audit Analyzer (0 seconds)

Originally posted by @eballetbaz in #3862 (comment)

[elballa]

Hi, any update on this.
I'm having a similar issue for Node JS Analyser
[DependencyCheck] [WARN] An unexpected error occurred during analysis of '.../package.json' (Node.js Package Analyzer): null
[DependencyCheck] java.util.ConcurrentModificationException: null
[DependencyCheck] at java.util.TreeMap$KeySpliterator.forEachRemaining(TreeMap.java:2757)
[DependencyCheck] at java.util.stream.ReferencePipeline$Head.forEach(ReferencePipeline.java:580)
[DependencyCheck] at org.owasp.dependencycheck.analyzer.DependencyMergingAnalyzer.mergeDependencies(DependencyMergingAnalyzer.java:155)
[DependencyCheck] at org.owasp.dependencycheck.analyzer.NodePackageAnalyzer.processDependencies(NodePackageAnalyzer.java:419)
[DependencyCheck] at org.owasp.dependencycheck.analyzer.NodePackageAnalyzer.analyzeDependency(NodePackageAnalyzer.java:265)
[DependencyCheck] at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze(AbstractAnalyzer.java:131)
[DependencyCheck] at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:88)
[DependencyCheck] at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:37)
[DependencyCheck] at java.util.concurrent.FutureTask.run(FutureTask.java:266)
[DependencyCheck] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
[DependencyCheck] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
[DependencyCheck] at java.lang.Thread.run(Thread.java:748)

[marcelstoer]

Tracked in #4374 -> close this one?

[elballa]

Yes, close it

…

________________________________ From: Marcel Stör ***@***.***> Sent: Friday, April 29, 2022 11:51:53 AM To: jeremylong/DependencyCheck ***@***.***> Cc: elballa ***@***.***>; Comment ***@***.***> Subject: Re: [jeremylong/DependencyCheck] ConcurrentModificationException in AbstractNpmAnalyzer.replaceOrAddVulnerability (Issue #4004) Tracked in #4374<#4374> -> close this one? — Reply to this email directly, view it on GitHub<#4004 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/ALLEPP7HF22NN4ZRNIY74VDVHOWLTANCNFSM5MKINDXA>. You are receiving this because you commented.Message ID: ***@***.***>