fix: issue 5452 - ConcurrentModificationException in NodePackageAnalyzer.processDependencies - adding synchronized block (#6501)

dabal · Grzegorz Dabrowski · web-flow · commit 44a3f1622ba8 · 2024-03-05T07:11:52.000-05:00
Co-authored-by: Grzegorz Dabrowski &lt;grzegorz.dabrowski@hypr.com&gt;
diff --git a/core/src/main/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzer.java b/core/src/main/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzer.java
@@ -458,18 +458,19 @@ private void processDependencies(JsonObject json, File baseDir, File rootFile,
                         LOGGER.debug("Unable to build package url for `" + packagePath + "`", ex);
                     }
                 }
-
-                final Dependency existing = findDependency(engine, name, version);
-                if (existing != null) {
-                    if (existing.isVirtual()) {
-                        DependencyMergingAnalyzer.mergeDependencies(child, existing, null);
-                        engine.removeDependency(existing);
-                        engine.addDependency(child);
+                synchronized (this) {
+                    final Dependency existing = findDependency(engine, name, version);
+                    if (existing != null) {
+                        if (existing.isVirtual()) {
+                            DependencyMergingAnalyzer.mergeDependencies(child, existing, null);
+                            engine.removeDependency(existing);
+                            engine.addDependency(child);
+                        } else {
+                            DependencyBundlingAnalyzer.mergeDependencies(existing, child, null);
+                        }
                     } else {
-                        DependencyBundlingAnalyzer.mergeDependencies(existing, child, null);
+                        engine.addDependency(child);
                     }
-                } else {
-                    engine.addDependency(child);
                 }
             }
         }

Original file line number	Diff line number	Diff line change
`@@ -458,18 +458,19 @@ private void processDependencies(JsonObject json, File baseDir, File rootFile,`
`458`	`458`	LOGGER.debug("Unable to build package url for `" + packagePath + "`", ex);
`459`	`459`	`}`
`460`	`460`	`}`
`461`		`-`
`462`		`- final Dependency existing = findDependency(engine, name, version);`
`463`		`- if (existing != null) {`
`464`		`- if (existing.isVirtual()) {`
`465`		`- DependencyMergingAnalyzer.mergeDependencies(child, existing, null);`
`466`		`- engine.removeDependency(existing);`
`467`		`- engine.addDependency(child);`
	`461`	`+ synchronized (this) {`
	`462`	`+ final Dependency existing = findDependency(engine, name, version);`
	`463`	`+ if (existing != null) {`
	`464`	`+ if (existing.isVirtual()) {`
	`465`	`+ DependencyMergingAnalyzer.mergeDependencies(child, existing, null);`
	`466`	`+ engine.removeDependency(existing);`
	`467`	`+ engine.addDependency(child);`
	`468`	`+ } else {`
	`469`	`+ DependencyBundlingAnalyzer.mergeDependencies(existing, child, null);`
	`470`	`+ }`
`468`	`471`	`} else {`
`469`		`- DependencyBundlingAnalyzer.mergeDependencies(existing, child, null);`
	`472`	`+ engine.addDependency(child);`
`470`	`473`	`}`
`471`		`- } else {`
`472`		`- engine.addDependency(child);`
`473`	`474`	`}`
`474`	`475`	`}`
`475`	`476`	`}`