From ade69168d0cad48d86971810d4f1bd2a8d7fc41a Mon Sep 17 00:00:00 2001
From: Kevin Tham <ktham@users.noreply.github.com>
Date: Tue, 8 Aug 2017 11:33:50 -0700
Subject: [PATCH] Make fixes to NspAnalyzer to correctly parse package.json
 files * parse `bundledDependencies` and `bundleDependencies' as a JsonArray *
 parse `license` as a JsonObject for older libraries that used license objects

---
 .../dependencycheck/analyzer/NspAnalyzer.java | 31 ++++++++++++++++---
 1 file changed, 27 insertions(+), 4 deletions(-)

diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NspAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NspAnalyzer.java
index 54a4df555..8b153235f 100644
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NspAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NspAnalyzer.java
@@ -43,6 +43,7 @@ import java.util.HashSet;
 import java.util.List;
 import java.util.Map;
 import javax.json.Json;
+import javax.json.JsonArray;
 import javax.json.JsonException;
 import javax.json.JsonObject;
 import javax.json.JsonObjectBuilder;
@@ -232,11 +233,11 @@ public class NspAnalyzer extends AbstractFileTypeAnalyzer {
                 processPackage(dependency, dependencies, "peerDependencies");
             }
             if (packageJson.containsKey("bundleDependencies")) {
-                final JsonObject dependencies = packageJson.getJsonObject("bundleDependencies");
+                final JsonArray dependencies = packageJson.getJsonArray("bundleDependencies");
                 processPackage(dependency, dependencies, "bundleDependencies");
             }
             if (packageJson.containsKey("bundledDependencies")) {
-                final JsonObject dependencies = packageJson.getJsonObject("bundledDependencies");
+                final JsonArray dependencies = packageJson.getJsonArray("bundledDependencies");
                 processPackage(dependency, dependencies, "bundledDependencies");
             }
 
@@ -244,7 +245,12 @@ public class NspAnalyzer extends AbstractFileTypeAnalyzer {
              * Adds the license if defined in package.json
              */
             if (packageJson.containsKey("license")) {
-                dependency.setLicense(packageJson.getString("license"));
+                final Object value = packageJson.get("license");
+                if (value instanceof JsonString) {
+                    dependency.setLicense(packageJson.getString("license"));
+                } else {
+                    dependency.setLicense(packageJson.getJsonObject("license").getString("type"));
+                }
             }
 
             /*
@@ -267,7 +273,24 @@ public class NspAnalyzer extends AbstractFileTypeAnalyzer {
     }
 
     /**
-     * Processes a part of package.json (as defined by JsobObject) and update
+     * Processes a part of package.json (as defined by JsonArray) and update
+     * the specified dependency with relevant info.
+     *
+     * @param dependency the Dependency to update
+     * @param jsonArray the jsonArray to parse
+     * @param depType the dependency type
+     */
+    private void processPackage(Dependency dependency, JsonArray jsonArray, String depType) {
+        JsonObjectBuilder builder = Json.createObjectBuilder();
+        for (JsonString str : jsonArray.getValuesAs(JsonString.class)) {
+            builder.add(str.toString(), "");
+        }
+        JsonObject jsonObject = builder.build();
+        processPackage(dependency, jsonObject, depType);
+    }
+
+    /**
+     * Processes a part of package.json (as defined by JsonObject) and update
      * the specified dependency with relevant info.
      *
      * @param dependency the Dependency to update