diff --git a/core/src/main/java/org/owasp/dependencycheck/analyzer/FalsePositiveAnalyzer.java b/core/src/main/java/org/owasp/dependencycheck/analyzer/FalsePositiveAnalyzer.java
index 1594d85920d..23618e7f9f8 100644
--- a/core/src/main/java/org/owasp/dependencycheck/analyzer/FalsePositiveAnalyzer.java
+++ b/core/src/main/java/org/owasp/dependencycheck/analyzer/FalsePositiveAnalyzer.java
@@ -414,10 +414,8 @@ private void removeWrongVersionMatches(Dependency dependency) {
     private void addFalseNegativeCPEs(Dependency dependency) {
         final CpeBuilder builder = new CpeBuilder();
         //TODO move this to the hint analyzer
-        // defensive copu for #3618 as I do not have access projects with opensso / opensso_enterprise
-        // to validate that a move of rules to the hint analyzer will result in the desired effects
-        List<Identifier> currentVulnSwIds = new ArrayList<>(dependency.getVulnerableSoftwareIdentifiers());
-        currentVulnSwIds.stream()
+        List<Identifier> identifiersToAdd = new ArrayList<>();
+        dependency.getVulnerableSoftwareIdentifiers().stream()
                 .filter((i) -> (i instanceof CpeIdentifier))
                 .map(i -> (CpeIdentifier) i)
                 .forEach((i) -> {
@@ -440,10 +438,10 @@ private void addFalseNegativeCPEs(Dependency dependency) {
                             final CpeIdentifier newCpeId2 = new CpeIdentifier(newCpe2, i.getConfidence());
                             final CpeIdentifier newCpeId3 = new CpeIdentifier(newCpe3, i.getConfidence());
                             final CpeIdentifier newCpeId4 = new CpeIdentifier(newCpe4, i.getConfidence());
-                            dependency.addVulnerableSoftwareIdentifier(newCpeId1);
-                            dependency.addVulnerableSoftwareIdentifier(newCpeId2);
-                            dependency.addVulnerableSoftwareIdentifier(newCpeId3);
-                            dependency.addVulnerableSoftwareIdentifier(newCpeId4);
+                            identifiersToAdd.add(newCpeId1);
+                            identifiersToAdd.add(newCpeId2);
+                            identifiersToAdd.add(newCpeId3);
+                            identifiersToAdd.add(newCpeId4);
 
                         } catch (CpeValidationException ex) {
                             LOGGER.warn("Unable to add oracle and sun CPEs", ex);
@@ -454,12 +452,13 @@ private void addFalseNegativeCPEs(Dependency dependency) {
                             final Cpe newCpe1 = builder.part(Part.APPLICATION).vendor("apache")
                                     .product("xml_security_for_java").version(cpe.getVersion()).build();
                             final CpeIdentifier newCpeId1 = new CpeIdentifier(newCpe1, i.getConfidence());
-                            dependency.addVulnerableSoftwareIdentifier(newCpeId1);
+                            identifiersToAdd.add(newCpeId1);
                         } catch (CpeValidationException ex) {
                             LOGGER.warn("Unable to add apache xml_security_for_java CPE", ex);
                         }
                     }
                 });
+        identifiersToAdd.forEach(dependency::addVulnerableSoftwareIdentifier);
     }
 
     /**