fix: issue 5452 - ConcurrentModificationException in NodePackageAnalyzer.processDependencies - adding synchronized block #6501
Merged
jeremylong merged 1 commit intodependency-check:mainfrom Mar 5, 2024
Conversation
dabal
changed the title
Collaborator
|
Thank you for the PR! |
Contributor
Author
You are welcome:). Do I have to do anything more to get this merged? And I have a question about the time frame - when you would like to release the 9.0.10? |
Collaborator
|
Again - thank you for the PR. I will try to release 9.0.10 within a week. I've been tied up with a lot of other non-OSS projects lately. |
lucas-kern
pushed a commit
to lucas-kern/DependencyCheck
that referenced
this pull request
Mar 7, 2024
…zer.processDependencies - adding synchronized block (dependency-check#6501) Co-authored-by: Grzegorz Dabrowski <[email protected]> fix: set forceUpdate flag for empty hosted suppression file
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes Issue
jeremylong/DependencyCheck#5452 - ConcurrentModificationException in NodePackageAnalyzer.processDependencies
Description of Change
Surrounding merging dependency code in synchronized block. I was facing the issue when I had multiple json files added - by
/tmp/*/package-lock.json. Most of them contains the same set of dependencies. I've noticed that this issue doesn't exist when I change the number of threads inorg/owasp/dependencycheck/Engine.java:811to 1. This would mean that this is ordinary concurrency issue. I've checked if it occurs if I add the synchronized to theorg.owasp.dependencycheck.analyzer.DependencyMergingAnalyzer#mergeDependenciesbut the issue was still there. And I've noticed that the when one thread is throwing this exeption, the other one is trying to doorg.owasp.dependencycheck.Engine#removeDependency.This is why I've added the synchronized block to thos part of the method
After this I don't see anymore the ConcurrentModificationException
Have test cases been added to cover the new functionality?
no