Replace 'org.json:json' lib with 'com.google.code.gson' lib

[yongyan-gh]

This is for issue #1279

• Some of Gson classes/methods doesn't support fluent syntax now, has to refactor a little bit.
• org.json:json has append() / putOpt() can handle empty/null object/array, which need to manually handle in Gson.

[yongyan-gh]

Attached the Sarif log generated with this change (using com.google.code.gson)
also Sarif log generated using current SpotBugs (org.json:json) for a comparison reference.
GsonSarifLog.zip

@KengoTODA pls review.
cc @michaelcfanning @eddynaka

[KengoTODA]

Thanks for your contribution! Please check my comments for maintainability.

Also, please put https://github.com/google/gson/blob/gson-parent-2.8.6/LICENSE into spotbugs/licenses directory to distribute.

[KengoTODA]

Is are any reason to prefer String.valueOf( ... ) over organization.toString()? If so, I want to make the intention clear.

[yongyan-gh]

Fixed.
organization was declared as Object it should be String

[KengoTODA]

Do we need this method? The old one was provided to configure the org.json's serializer.
So I assume what we need is not this method but similar way to configure the serialier, like SerializedName.

[yongyan-gh]

Added SerializedName annotation to the enum. Its useful if we use Gson toJson/fromJson methods to serialize/deserialize objects.

Current we create/setup JsonObject instead serializing object. e.g.

        JsonObject result = new JsonObject();
        result.addProperty("ruleId", ruleId);
        result.addProperty("ruleIndex", ruleIndex);;
        result.addProperty("level", level.toJsonString());

I think after POJO classes are introduced we should be able to use object serialization/deserialization and not need this method anymore

[yongyan-gh]

Also tried
return new Gson().toJson(this);
but it returned string with double quotes "\"warning"\", but we need string without double quotes "warning"

[KengoTODA]

I assume it's better to throw UncheckedIOException instead?
At least, we cannot ignore this exception like this, because we surely have problem in generated SARIF report file.

[yongyan-gh]

Fixed.

[KengoTODA]

Here we do not need to invoke e.printStackTrace(System.err);. Who catches the error will print it.

And when we need to log, we use SLF4J as a logging facade so please do not use System.err directly.

[yongyan-gh]

Removed printStackTrace to let caller to log the error.

[KengoTODA]

This try-block seems needless.

Suggested change

	try {
	Gson gson = new Gson();
	jsonWriter.name("runs").beginArray().beginObject();
	BugCollectionAnalyser analyser = new BugCollectionAnalyser(getBugCollection());
	processTool(jsonWriter, analyser.getRules());
	processInvocations(jsonWriter, analyser.getBaseToId());
	jsonWriter.name("results").beginArray();
	analyser.getResults().forEach((result) -> gson.toJson(result, jsonWriter));
	jsonWriter.endArray();
	jsonWriter.name("originalUriBaseIds");
	gson.toJson(analyser.getOriginalUriBaseIds(), jsonWriter);
	jsonWriter.endObject().endArray(); // end "runs", end "runs" array
	} catch (IOException e) {
	throw e;
	}
	Gson gson = new Gson();
	jsonWriter.name("runs").beginArray().beginObject();
	BugCollectionAnalyser analyser = new BugCollectionAnalyser(getBugCollection());
	processTool(jsonWriter, analyser.getRules());
	processInvocations(jsonWriter, analyser.getBaseToId());
	jsonWriter.name("results").beginArray();
	analyser.getResults().forEach((result) -> gson.toJson(result, jsonWriter));
	jsonWriter.endArray();
	jsonWriter.name("originalUriBaseIds");
	gson.toJson(analyser.getOriginalUriBaseIds(), jsonWriter);
	jsonWriter.endObject().endArray(); // end "runs", end "runs" array

[yongyan-gh]

Edit: fixed.
Most methods of Gson JsonWriter like name/value/begin.../end... throw IOException. That's why I have to catch it in try catch block.

[KengoTODA]

This try-block seems needless.

Suggested change

	try {
	Gson gson = new Gson();
	jsonWriter.name("invocations").beginArray();
	gson.toJson(invocation.toJsonObject(), jsonWriter);
	jsonWriter.endArray();
	} catch (IOException e) {
	throw e;
	}
	Gson gson = new Gson();
	jsonWriter.name("invocations").beginArray();
	gson.toJson(invocation.toJsonObject(), jsonWriter);
	jsonWriter.endArray();

[yongyan-gh]

Fixed

[KengoTODA]

This try-block is also needless. Simply throw IOException to the caller side.

[yongyan-gh]

Fixed

[KengoTODA]

Is it OK to generate Gson instance on demand? Not sure its cost, but if it takes much resources (CPU or Java heap), consider to create it once and reuse by providing it via method parameter.

[yongyan-gh]

Added a Gson member instead creating new instance for each place.
According to Gson user guide:

The Gson instance does not maintain any state while invoking Json operations. So, you are free to reuse the same object for multiple Json serialization and deserialization operations.

[KengoTODA]

Good comment to keep the code readable! 👍

[KengoTODA]

this try-block seems needless.

[yongyan-gh]

Fixed

[KengoTODA]

Cool. Just one change is necessary, please check.

[KengoTODA]

Here we do not need to invoke e.printStackTrace(System.err);. Who catches the error will print it.

And when we need to log, we use SLF4J as a logging facade so please do not use System.err directly.

[KengoTODA]

LGTM. Thanks for your contribution!

[KengoTODA]

@spotbugs/everyone if possible, please double-check this PR. I'm recently little bit careless to make a high quality review. 🙇‍♂️

[yongyan-gh]

LGTM. Thanks for your contribution!

Thank you for reviewing!

[yongyan-gh]

Edit: fixed.
Most methods of Gson JsonWriter like name/value/begin.../end... throw IOException. That's why I have to catch it in try catch block.

[yongyan-gh]

Fixed.
organization was declared as Object it should be String

[yongyan-gh]

Fixed.

[yongyan-gh]

Added a Gson member instead creating new instance for each place.
According to Gson user guide:

The Gson instance does not maintain any state while invoking Json operations. So, you are free to reuse the same object for multiple Json serialization and deserialization operations.

[yongyan-gh]

Added SerializedName annotation to the enum. Its useful if we use Gson toJson/fromJson methods to serialize/deserialize objects.

Current we create/setup JsonObject instead serializing object. e.g.

        JsonObject result = new JsonObject();
        result.addProperty("ruleId", ruleId);
        result.addProperty("ruleIndex", ruleIndex);;
        result.addProperty("level", level.toJsonString());

I think after POJO classes are introduced we should be able to use object serialization/deserialization and not need this method anymore

[yongyan-gh]

Also tried
return new Gson().toJson(this);
but it returned string with double quotes "\"warning"\", but we need string without double quotes "warning"

[yongyan-gh]

Fixed

[yongyan-gh]

Fixed

[yongyan-gh]

Fixed

[yongyan-gh]

Removed printStackTrace to let caller to log the error.

[yongyan-gh]

Attached the Sarif log generated by SpotBugs with the Gson changes.
Except some name/value pairs are in different order, its identical to original Sarif log file generated using org.json
gsonResult.zip

[yongyan-gh]

@KengoTODA
I ran all tests all passed and adhoc tests it works as expected. Can you pls merge this change if no more issue?
Also pls review #1434.

Thanks!

[michaelcfanning]

Fantastic!