An unexpected error occurred during analysis of '...pom.xml' (False Positive Analyzer): null

[skirsch-prof]

Disclaimer

This may be a typical scenario... I am submitting on behalf of an entity that does not allow me to provide log files (or names/locations of artifacts). Instead, I am providing high-level information. I'm hoping if you have questions, I can answer them sufficiently to resolve the issue.

Environment

Maven plugin version 6.3.0
Maven version: 3.5.4

Error

[INFO] Analysis Started
[INFO] Finished Archive Analyzer (3 seconds)
[INFO] Finished File Name Analyzer (0 seconds)
[INFO] Finished Jar Analyzer (1 seconds)
[INFO] Finished Dependency Merging Analyzer (0 seconds)
[INFO] Finished Version Filter Analyzer (0 seconds)
[INFO] Finished Hint Analyzer (0 seconds)
[INFO] Created CPE Index (1 seconds)
[INFO] Finished CPE Analyzer (3 seconds)
[WARNING] An unexpected error occurred during analysis of 'C:\Users\user\AppData\Local\Temp\dctemp3ec479f5-b342-4ff2-8ce0-f5a7c6bd201b\check6697043323940996811tmp\255\pom.xml' (False Positive Analyzer): null
[ERROR]
java.util.ConcurrentModificationException
    at java.util.TreeMap$KeySpliterator.forEachRemaining (TreeMap.java:2753)
    at java.util.stream.AbstractPipeline.copyInto (AbstractPipeline.java:512)
    at java.util.stream.AbstractPipeline.wrapAndCopyInto (AbstractPipeline.java:502)
    at java.util.stream.ForEachOps$ForEachOp.evaluateSequential (ForEachOps.java:151)
    at java.util.stream.ForEachOps$ForEachOp$OfRef.evaluateSequential (ForEachOps.java:174)
    at java.util.stream.AbstractPipeline.evaluate (AbstractPipeline.java:234)
    at java.util.stream.ReferencePipeline.forEach (ReferencePipeline.java:418)
    at org.owasp.dependencycheck.analyzer.FalsePositiveAnalyzer.addFalseNegativeCPEs (FalsePositiveAnalyzer.java:420)
    at org.owasp.dependencycheck.analyzer.FalsePositiveAnalyzer.analyzeDependency (FalsePositiveAnalyzer.java:144)
    at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze (AbstractAnalyzer.java:131)
    at org.owasp.dependencycheck.AnalysisTask.call (AnalysisTask.java:88)
    at org.owasp.dependencycheck.AnalysisTask.call (AnalysisTask.java:37)
    at java.util.concurrent.FutureTask.run (FutureTask.java:266)
    at java.util.concurrent.ThreadPoolExecutor.runWorker (ThreadPoolExecutor.java:1142)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run (ThreadPoolExecutor.java:617)
    at java.lang.Thread.run (Thread.java:745)
[INFO] Finished False Positive Analyzer (0 seconds)
[INFO] Finished NVD CVE Analyzer (0 seconds)
00:00  INFO: Vulnerability found: jquery below 1.9.0b1
00:00  INFO: Vulnerability found: jquery below 1.9.0b1
00:00  INFO: Vulnerability found: jquery below 1.12.0
00:00  INFO: Vulnerability found: jquery below 3.4.0
00:00  INFO: Vulnerability found: jquery below 3.5.0
00:00  INFO: Vulnerability found: jquery below 3.5.0
00:00  INFO: Vulnerability found: jquery below 1.12.0
00:00  INFO: Vulnerability found: jquery below 3.4.0
00:00  INFO: Vulnerability found: jquery below 3.5.0
00:00  INFO: Vulnerability found: jquery below 3.5.0
00:00  INFO: Vulnerability found: jquery-ui-dialog below 1.10.0
00:00  INFO: Vulnerability found: jquery-ui-dialog below 1.12.0
00:00  INFO: Vulnerability found: jquery-ui-dialog below 1.10.0
00:00  INFO: Vulnerability found: jquery below 1.12.0
00:00  INFO: Vulnerability found: jquery-ui-dialog below 1.12.0
00:00  INFO: Vulnerability found: jquery below 1.12.0
00:00  INFO: Vulnerability found: jquery below 3.4.0
00:00  INFO: Vulnerability found: jquery below 3.5.0
00:00  INFO: Vulnerability found: jquery below 3.5.0
[INFO] Finished RetireJS Analyzer (1 seconds)
[INFO] Finished Sonatype OSS Index Analyzer (0 seconds)
[INFO] Finished Vulnerability Suppression Analyzer (0 seconds)
[INFO] Finished Dependency Bundling Analyzer (0 seconds)
[INFO] Analysis Complete (21 seconds)
[INFO] Writing report to: C:\temp\build\app\target\dependency-check-report.html

[aikebah]

Will have its root cause in the performance optimisation. A concurrent modification I somehow overlooked when searching potential concurrent modifications that were not mitigated.

[skirsch-prof]

Thanks for the reply. Is there some additional information I can provide from my environment? I'm trying to figure out if "Will have its root cause in the performance optimisation" was a request for more information.

For what it's worth, the pom.xml referenced in the [WARNING] (just before the error) is for:

    <groupId>org.apache.santuario</groupId>
    <artifactId>xmlsec</artifactId>
    <packaging>bundle</packaging>
    <name>Apache XML Security for Java</name>
    <version>1.5.8</version>
    <description>
        Apache XML Security for Java supports XML-Signature Syntax and Processing,
        W3C Recommendation 12 February 2002, and XML Encryption Syntax and
        Processing, W3C Recommendation 10 December 2002. As of version 1.4,
        the library supports the standard Java API JSR-105: XML Digital Signature APIs.
    </description>
    <url>http://santuario.apache.org/</url>

[aikebah]

@skirsch-alethix Steve, your original post already displays the location where it broke. From the code I could derive that you would be having either the apache xmlsec or the sun/oracle opensso libraries in your project. Those two have code near the origin of the exception in order to mitigate False Negatives for libraries that had CVEs registered with different CPEs.

But good to see the confirmation that in your case Apache xmlsec is indeed at the root of the error. It confirms what I saw in the code. During development of 6.3.0 we already had #3561 to resolve cases that I had run into after performance optimisations were done (no longer creating duplicates of the set). My issues were similar cases, but for a different internal Set (related dependencies) than the one at the root of your issue (derived software identifiers). As back then I only scanned usage of the 'related dependencies' set I simply overlooked the case that you ran into.