Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Recommend upgrading to the real org.json #179

Closed
stleary opened this issue Oct 12, 2023 · 9 comments
Closed

Recommend upgrading to the real org.json #179

stleary opened this issue Oct 12, 2023 · 9 comments

Comments

@stleary
Copy link

stleary commented Oct 12, 2023

org.json now has a public domain license. The latest version is more capable and contains many bug fixes not found in the Android version. Also, you could use similar() for strict comparisons.
@Brummolix
Copy link

I agree, for example the original version is vulnerable, see https://nvd.nist.gov/vuln/detail/CVE-2023-5072
The (very old) fork may be vulnerable, too.

@fkriegl
Copy link

fkriegl commented Oct 26, 2023
edited
Loading

Context:

currently skyscreamer/JSONassert uses the vaadin implementation of org.json:

JSONassert/pom.xml

Lines 52 to 56 in 7414e90

<dependency>
<groupId>com.vaadin.external.google</groupId>
<artifactId>android-json</artifactId>
<version>0.0.20131108.vaadin1</version>
</dependency>

Suggestion:

Use Open Json.

Instead of using org.json aka stleary/JSON-java, I suggest to switch to the Open Json reimplementation, because it has an Apache-2.0 license. Open-Json is based on the original vaadin implementation (which was a reimplementation of stleary/JSON-java).

Background:

Developers are fleeing from stleary/JSON-java because of its non-OSI-license. The JSON license was replaced by a even less specific "Public domain" license in 2022, leaving even more room for interpretation on what this license implies (at least for corporate lawyers... for developers it is likely more than clear).

See also:

The Apache Software Foundation has now also banned this library [...]
- stleary/JSON-java#331 (comment)

and

[...] they are just looking for something more "formal" to satiate corporate lawyers. I believe a license like this matches what [Douglas Crockford's] intent is [.]
- stleary/JSON-java#706 (comment)

The "problem" is that some developers work in a corporate context and thus cannot use software/libraries that are licensed in an ..let's say "informal" way.
All that (many) people (likely) want is using this nice little library (props to the maintainer) with less stress regarding an unspecific license.

Since skyscreamer/JSONassert is even used by Spring Framework, this affects thousands of developers and software projects because @spring-projects' spring-framework and spring-boot are widely spread in commercial and non-commercial software products.

@carterpage
Copy link
Member

I haven't done a new version in a few years, so this will take some time to get the pom.xml modernized. The org.json update will need to be a new minor version at least since it will change how nulls are handled. I'll probably get a 1.5.2 out first to deal with some immediate problems, and then try to fast follow on 1.6.0.

This is not a commercial effort, so I don't have an ETA. However, I will post updates.

@carterpage
Copy link
Member

Any more thoughts on org.json vs openjson?

org.json is backward breaking in terms of null handling and may require a major update. If openjson does not break the tests, then we could probably release with just a minor bump.

Regardless, it's high time to get off the ancient vaadin library.

@carterpage
Copy link
Member

Oh, openjson uses different packages. It's perhaps even more backward breaking.

If we were to use org.json, what would be the best version to put in the maven dependency to be as friendly to as many projects as possible? @stleary opinions appreciated.

@stleary
Copy link
Author

stleary commented Jun 30, 2024

@carterpage I would recommend the org.json latest release: 20240303.

@fkriegl
Copy link

fkriegl commented Jul 1, 2024

Oh, openjson uses different packages. It's perhaps even more backward breaking.

Is this a problem?
How about releasing a new major version with OpenJson? That would not require backward compatibility (and could be picked up in a new spring minor release); and optionally a new minor version with org.json? I know that's twice the work... but I do not see an advantage regarding the license issue when using org.json (which is technically fine).
However, the license of org.json is "Public Domain" which is just not formal enough, see my earlier comment regarding that license topic discussion. It would not allow many developers in a corporate context to use the library.

I see two options:

  1. The unrealistic one:
    In a new release of org.json, switch to a more formal license (@stleary), that has the same intent as "public domain" but has some "official definition" and by that satiates corporate lawyers. As already suggested by others org.json could switch to the "Unlicense":
    https://opensource.org/license/unlicense
    Then, JSONassert could use the version released under this new license.

However, following the closing comment in the issue here I don't think we can expect a change in the license of org.json, as the maintainers do not see a need to change or don't want to acknowledge the problem users are facing with the current license type:

The author Douglas Crockford is well aware of the harm he's doing but numerous request from different projects and parties could not change his mind.
- https://wiki.debian.org/qa.debian.org/jsonevil

So maybe JSONassert should just follow the maintainer's advice and do not use org.json:

If Public Domain is not liberal enough for you, I recommend that you do not use it.
- stleary/JSON-java#706 (comment)

  1. The higher effort option:
    Use OpenJson or another library with an OSI license type instead and create a new major release.

However, also OpenJson might have drawbacks (how high is the adoption? is there just one maintainer? how often will new (maintenance) release versions be published? etc. )
Maybe also the maintainer of OpenJson (@mfursov) could let us know his thoughts on this.

(Unfortunately) software development is not only about code, but also about legal requirements.
Without a different license (in org.json) or using another json library that has an OSI license, I personally don't see a chance to confidently use JSONassert in the future.

@david-m-s david-m-s mentioned this issue Jul 3, 2024
Closed
@carterpage
Copy link
Member

@stleary Briefly, can you please help me understand why 20231013 wouldn't be a safer bet?

  • It has the most usages in central (for versions <5 years old)
  • It is the oldest commonly used version without any vulnerabilities
  • 20240303 has new public methods (JSONAssert isn't using any of those methods, so maybe this is moot.)

I notice json-java is using a much older version of json-path (upgraded from 2.1 to 2.4 in 20240205), so I'm wondering if latest/greatest is ideal for a low level library.

@carterpage carterpage mentioned this issue Jul 19, 2024
Merged
@carterpage
Copy link
Member

@stleary Thanks for the recommendation. This will use the new library in the next version.

@fkriegl Thanks for your suggestion. I have opted to use org.json because it is the most widely used JSON library. I am not a lawyer, but plenty of companies with their own lawyers (e.g. Google) seem comfortable with including it in their own open source libraries so that's good enough for me. Feel free to fork JSONAssert to create a version that supports Open JSON!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@carterpage @stleary @Brummolix @fkriegl