Use defensive copy to prevent ConcurrentModificationException due to …

…addition of new vulnerableSoftwareIdentifiers
jeremylong · Aug 31, 2021 · edbddd9 · edbddd9
1 parent f4b0335
commit edbddd9
Showing 1 changed file with 4 additions and 1 deletion.
diff --git a/core/src/main/java/org/owasp/dependencycheck/analyzer/FalsePositiveAnalyzer.java b/core/src/main/java/org/owasp/dependencycheck/analyzer/FalsePositiveAnalyzer.java
@@ -414,7 +414,10 @@ private void removeWrongVersionMatches(Dependency dependency) {
     private void addFalseNegativeCPEs(Dependency dependency) {
         final CpeBuilder builder = new CpeBuilder();
         //TODO move this to the hint analyzer
-        dependency.getVulnerableSoftwareIdentifiers().stream()
+        // defensive copu for #3618 as I do not have access projects with opensso / opensso_enterprise
+        // to validate that a move of rules to the hint analyzer will result in the desired effects
+        List<Identifier> currentVulnSwIds = new ArrayList<>(dependency.getVulnerableSoftwareIdentifiers());
+        currentVulnSwIds.stream()
                 .filter((i) -> (i instanceof CpeIdentifier))
                 .map(i -> (CpeIdentifier) i)
                 .forEach((i) -> {