Adding enhancement (and test) that compensates for an invalid package.json (one without a name field) and automatically adds the name field with a value of "1" so that the analysis continues rather than fails. #975

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nsp/SanitizePackage.java

@@ -69,6 +69,12 @@ public final class SanitizePackage {
      */
     public static JsonObject sanitize(JsonObject rawPackage) {
         final JsonObjectBuilder builder = Json.createObjectBuilder();
+        if (rawPackage.get("name") == null) {
+            // Reproduce the behavior of 'nsp check' by not failing on a
+            // package.json without a name field (string).
+            // https://github.com/jeremylong/DependencyCheck/issues/975
+            builder.add("name", "1");
+        }
         for (Map.Entry<String, JsonValue> entry : rawPackage.entrySet()) {
             if (WHITELIST.contains(entry.getKey())) {
                 builder.add(entry.getKey(), entry.getValue());

dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/NspAnalyzerTest.java

@@ -91,4 +91,11 @@ public class NspAnalyzerTest extends BaseTest {
         // node modules are not scanned - no evidence is collected
         assertTrue(result.size() == 0);
     }
+
+    @Test
+    public void testAnalyzeInvalidPackageMissingName() throws AnalysisException {
+        final Dependency result = new Dependency(BaseTest.getResourceAsFile(this, "nsp/minimal-invalid.json"));
+        analyzer.analyze(result, null);
+        // Upon analysis, not throwing an exception in this case, is all that's required to pass this test
+    }
 }

dependency-check-core/src/test/resources/nsp/minimal-invalid.json

@@ -0,0 +1 @@
+{ "devDependencies": { "generator-jhipster": "4.5.2" } }