-
-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Running dependencyCheck concurrent in multiple CI pipelines throws error #4844
Comments
Your logfile does not show any problems or failure nor does your description shed any light on your problem, so I'm just guessing that you are running int concurrent modification problems. |
Maybe add @mprins regarding the concurrency issue with H2 - ODC goes to great lengths so that isn't an issue. Each instance will make a temp copy of the database. During the updates there is a lock file respected by all instances - and they will wait before attempting to update and/or make their temporary copy for the analysis. |
We experienced the same issue and managed to get the following stack trace:
Still doesn't exactly reveal the cause of the ConcurrentModificationExceptions. However, I suspect one of the recent changes causing it, i.e. turning the suppression rules collection into a singleton, see this commit. The SuppressionRules singleton is not thread-safe and concurrent access may cause exactly those ConcurrentModificationExceptions. We had to downgrade to v7.1.1 to avoid running into those problems. |
@bersti The final exceptioncollection stacktrace should mean that earlier on in the log you can find the actual errors getting logged as well. Those would be the pointers to what goes wrong in your case. |
Think I'm experiencing the same thing since upgrading from 7.1.0.1 to 7.2.1. CI runs gradle plugin dependencyCheckAggregate on a multi-module project using an executor configured with the gradle parallel option.
Also, not sure if related to this issue but seems to correlate with the 7.1.0.1 -> 7.2.1 upgrade, I get flaky dependencyCheckAggregate failures where the logs report vulnerabilities: https://app.circleci.com/pipelines/github/ConsenSys/web3signer/2307/workflows/c3cef431-387f-4e8f-84cc-210741cfa161/jobs/7695 however the generated report does not: https://output.circle-artifacts.com/output/job/223315ad-72bf-4f9a-be4e-0f60cf60d6ca/artifacts/0/test-reports/dependency-check-report.html and indeed it passes on a rerun. |
This should be fixed with the next release (patched via #4935). |
Describe the bug
A clear and concise description of what the bug is.
Version of dependency-check used
The problem occurs using version 7.1.2 of the docker container
Log file
https://gist.github.com/SvenLie/94f6e98447bcd2d79c90cd4a9e0553d7
To Reproduce
Have to CI-Pipelines running the command "/usr/share/dependency-check/bin/dependency-check.sh --data ".dependency-check" --out ".dependency-check" --suppression ".dependency-check/suppressions.xml" --scan "./" --project "$CI_PROJECT_TITLE" --format ALL --enableExperimental --disableYarnAudit" at the same time. One pipeline will fail with log above. When running the command only one time it works
The text was updated successfully, but these errors were encountered: