[Bug]: Beam uses a version of the org.json:json that has a Category X license

[pjfanning]

What happened?

Only versions of org.json:json from the last year or 2 are properly in the public domain. Prior to that you were not allowed to use the jar to commit evil (no kidding). This nonsensical restriction is against ASF policies.

See the section about JSON License in https://www.apache.org/legal/resolved.html

Here's a Bean usage of an old version of this jar:

beam/sdks/java/extensions/ml/build.gradle

Line 40 in 8ba846d

implementation group: 'org.json', name: 'json', version: '20201115'

There are also CVE fixes in the more recent versions - so 2 wins if you upgrade.

Issue Priority

Priority: 2 (default / most bugs should be filed as P2)

Issue Components

• Component: Python SDK
• Component: Java SDK
• Component: Go SDK
• Component: Typescript SDK
• Component: IO connector
• Component: Beam YAML
• Component: Beam examples
• Component: Beam playground
• Component: Beam katas
• Component: Website
• Component: Spark Runner
• Component: Flink Runner
• Component: Samza Runner
• Component: Twister2 Runner
• Component: Hazelcast Jet Runner
• Component: Google Cloud Dataflow Runner