Performance issue with 6.1.2

**Describe the bug**
On a maven project with hundreds of modules, generating an aggregated report with 6.1.2 is way slower than when using 6.1.1 version. When CVE databases are already cached, it takes around 1 or 2 minutes to generate the whole report with 6.1.1 version, but more than 30min when using 6.1.2.

When doing some profile, it looks like most of the time is spent inside method `CveDB#simpleCPESearch()`

**Version of dependency-check used**
The problem occurs using version 6.1.2 of the maven plugin

**Log file**
Here's the plugin output when using version 6.1.1:

```
[INFO] Check for updates complete (152 ms)
[INFO] Analysis Started
[INFO] Finished Archive Analyzer (4 seconds)
[INFO] Finished File Name Analyzer (0 seconds)
[INFO] Finished Jar Analyzer (2 seconds)
[INFO] Finished Node.js Package Analyzer (2 seconds)
[INFO] Finished Dependency Merging Analyzer (5 seconds)
[INFO] Finished Version Filter Analyzer (0 seconds)
[INFO] Finished Hint Analyzer (0 seconds)
[INFO] Created CPE Index (1 seconds)
[INFO] Finished CPE Analyzer (18 seconds)
[INFO] Finished False Positive Analyzer (0 seconds)
[INFO] Finished NVD CVE Analyzer (1 seconds)
[INFO] Finished Node Audit Analyzer (0 seconds)
[INFO] Finished RetireJS Analyzer (0 seconds)
[INFO] Finished Sonatype OSS Index Analyzer (2 seconds)
[INFO] Finished Vulnerability Suppression Analyzer (2 seconds)
[INFO] Finished Dependency Bundling Analyzer (43 seconds)
[INFO] Analysis Complete (88 seconds)
```

And the output for 6.1.2:
```
[INFO] Check for updates complete (83 ms)
[INFO] Analysis Started
[INFO] Finished Archive Analyzer (4 seconds)
[INFO] Finished File Name Analyzer (0 seconds)
[INFO] Finished Jar Analyzer (3 seconds)
[INFO] Finished Node.js Package Analyzer (2 seconds)
[INFO] Finished Dependency Merging Analyzer (5 seconds)
[INFO] Finished Version Filter Analyzer (0 seconds)
[INFO] Finished Hint Analyzer (0 seconds)
[INFO] Created CPE Index (1 seconds)
[INFO] Finished CPE Analyzer (1524 seconds)
[INFO] Finished False Positive Analyzer (0 seconds)
[INFO] Finished NVD CVE Analyzer (1 seconds)
[INFO] Finished Node Audit Analyzer (0 seconds)
[INFO] Finished RetireJS Analyzer (0 seconds)
[INFO] Finished Sonatype OSS Index Analyzer (2 seconds)
[INFO] Finished Vulnerability Suppression Analyzer (2 seconds)
[INFO] Finished Dependency Bundling Analyzer (46 seconds)
[INFO] Analysis Complete (1597 seconds)
```

**To Reproduce**
`mvn org.owasp:dependency-check-maven:6.1.2:aggregate`

**Expected behavior**
Performance should be reasonably similar to the previous version.


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Performance issue with 6.1.2 #3183

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Performance issue with 6.1.2 #3183

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions