Please consider org.json:json alternative

[DPUkyle]

Hi @KengoTODA I see that spotbugs/discuss#95 was merged and released with tool v4.1.0 - that's great!

I have one question about the license of the org.json:json library - it's unconventional and is actually banned by ASF: http://apache.org/legal/resolved.html#category-x -> see "Nonsensical licenses".

Debian lists some alternatives but I'm sure this list is not very current, nor comprehensive: https://wiki.debian.org/qa.debian.org/jsonevil

My organization specifically objects to the license's use of the language "The Software shall be used for Good, not Evil.", as such I'd encourage you to please consider alternative implementations to produce the SARIF report. As a consequence, we will be unable to use spotbugs v4.1.0 or higher ☹️

FYI @lgolding @michaelcfanning

[henrik242]

@DPUkyle So, you'd like to use Spotbugs for Evil?

[welcome]

Thanks for opening your first issue here! 😃
Please check our contributing guideline. Especially when you report a problem, make sure you share a Minimal, Complete, and Verifiable example to reproduce it in this issue.

[KengoTODA]

Working on this issue. Gson seems smaller than Jackson, so I'm trying to play with Gson.

The Gradle plugin isn't working well to generate both annotation and additionalProperties, so reported the issue as jsonschema2dataclass/js2d-gradle#10
If problem will not be resolved, I'll try to code without annotation.

[sabberworm]

My organization specifically objects to the license's use of the language "The Software shall be used for Good, not Evil."

@DPUkyle I think you should quit working for this company ASAP…

[h-vetinari]

Any update on this? This is blocking (much of) the hadoop ecosystem from moving to Java 11+, see https://issues.apache.org/jira/browse/HADOOP-17269

[michaelcfanning]

@eddynaka @yongyan-gh

@KengoTODA, want any help with this problem? We're just about to propose a new SARIF contribution that provides for SARIF-friendly rule ids. Maybe we could finish whatever work you've started with gson as well?

Glad to help if you want it.

[KengoTODA]

The current blocker for me is json2pojo does not generate fields of MessageStrings as expected.

For the current implementation, I manually coded MessageStrings and other classes. But it's better to generate it based on JSON schema. This is why I want to use json2pojo via https://github.com/eirnym/js2p-gradle

[michaelcfanning]

ok! we'll take a look and see if we can get the SARIF schema through json2pojo today. More soon...

[yongyan-gh]

The current blocker for me is json2pojo does not generate fields of MessageStrings as expected.

For the current implementation, I manually coded MessageStrings and other classes. But it's better to generate it based on JSON schema. This is why I want to use json2pojo via https://github.com/eirnym/js2p-gradle

Hi @KengoTODA , do we have to have POJO classes for resolving this issue?
Can we leverage existing model classes used to generate Sarif log, and replace org.json lib with gson lib?
I can help with this request.

[aajisaka]

Now I think this issue is fixed by #1437 and can be closed. Thank you @yongyan-gh and @KengoTODA!