Fix

Author: jandro996

dd-java-agent/agent-iast/src/main/java/com/datadog/iast/sink/ApplicationModuleImpl.java

@@ -416,7 +416,11 @@ private static class InsecureJspFolderVisitor implements FileVisitor<Path> {
 
     @Override
     public FileVisitResult preVisitDirectory(final Path dir, final BasicFileAttributes attrs) {
-      final String folder = dir.getFileName().toString();
+      final Path fileName = dir.getFileName();
+      if (fileName == null) {
+        return FileVisitResult.CONTINUE;
+      }
+      final String folder = fileName.toString();
       if (endsWithIgnoreCase(folder, WEB_INF)) {
         return FileVisitResult.SKIP_SUBTREE;
       }

dd-java-agent/agent-iast/src/test/groovy/com/datadog/iast/sink/ApplicationModuleTest.groovy

@@ -6,6 +6,9 @@ import com.datadog.iast.model.Vulnerability
 import com.datadog.iast.model.VulnerabilityType
 import datadog.trace.api.iast.InstrumentationBridge
 import datadog.trace.api.iast.sink.ApplicationModule
+import java.io.File
+import java.nio.file.FileVisitResult
+import java.nio.file.Paths
 
 import static com.datadog.iast.model.VulnerabilityType.ADMIN_CONSOLE_ACTIVE
 import static com.datadog.iast.model.VulnerabilityType.DEFAULT_HTML_ESCAPE_INVALID
@@ -138,4 +141,18 @@ class ApplicationModuleTest extends IastModuleImplTestBase {
     }
     assert vuln.location.line == line
   }
+
+  void 'insecure jsp visitor handles root directory without name'() {
+    given:
+    def visitorClass = ApplicationModuleImpl.declaredClasses.find { it.simpleName == 'InsecureJspFolderVisitor' }
+    def constructor = visitorClass.getDeclaredConstructor()
+    constructor.accessible = true
+    def visitor = constructor.newInstance()
+
+    when:
+    def result = visitor.preVisitDirectory(Paths.get(File.separator), null)
+
+    then:
+    result == FileVisitResult.CONTINUE
+  }
 }