From 088566a2cf52d67e0efd8d1e933903df4dde6f21 Mon Sep 17 00:00:00 2001
From: Steve Springett <steve@springett.us>
Date: Thu, 9 Nov 2017 16:14:24 -0600
Subject: [PATCH] Adding enhancement (and test) that compensates for an invalid
 package.json (one without a name field) and automatically adds the name field
 with a value of "1" so that the analysis continues rather than fails. #975

---
 .../owasp/dependencycheck/data/nsp/SanitizePackage.java    | 6 ++++++
 .../owasp/dependencycheck/analyzer/NspAnalyzerTest.java    | 7 +++++++
 .../src/test/resources/nsp/minimal-invalid.json            | 1 +
 3 files changed, 14 insertions(+)
 create mode 100644 dependency-check-core/src/test/resources/nsp/minimal-invalid.json

diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nsp/SanitizePackage.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nsp/SanitizePackage.java
index 4bee31ceb..888ab0999 100644
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nsp/SanitizePackage.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nsp/SanitizePackage.java
@@ -69,6 +69,12 @@ public final class SanitizePackage {
      */
     public static JsonObject sanitize(JsonObject rawPackage) {
         final JsonObjectBuilder builder = Json.createObjectBuilder();
+        if (rawPackage.get("name") == null) {
+            // Reproduce the behavior of 'nsp check' by not failing on a
+            // package.json without a name field (string).
+            // https://github.com/jeremylong/DependencyCheck/issues/975
+            builder.add("name", "1");
+        }
         for (Map.Entry<String, JsonValue> entry : rawPackage.entrySet()) {
             if (WHITELIST.contains(entry.getKey())) {
                 builder.add(entry.getKey(), entry.getValue());
diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/NspAnalyzerTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/NspAnalyzerTest.java
index 5d9d7b747..dfcd98d3f 100644
--- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/NspAnalyzerTest.java
+++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/NspAnalyzerTest.java
@@ -91,4 +91,11 @@ public class NspAnalyzerTest extends BaseTest {
         // node modules are not scanned - no evidence is collected
         assertTrue(result.size() == 0);
     }
+
+    @Test
+    public void testAnalyzeInvalidPackageMissingName() throws AnalysisException {
+        final Dependency result = new Dependency(BaseTest.getResourceAsFile(this, "nsp/minimal-invalid.json"));
+        analyzer.analyze(result, null);
+        // Upon analysis, not throwing an exception in this case, is all that's required to pass this test
+    }
 }
diff --git a/dependency-check-core/src/test/resources/nsp/minimal-invalid.json b/dependency-check-core/src/test/resources/nsp/minimal-invalid.json
new file mode 100644
index 000000000..37f52b5b5
--- /dev/null
+++ b/dependency-check-core/src/test/resources/nsp/minimal-invalid.json
@@ -0,0 +1 @@
+{ "devDependencies": { "generator-jhipster": "4.5.2" } }
\ No newline at end of file