...
- https://blog.takipi.com/the-ultimate-json-library-json-simple-vs-gson-vs-jackson-vs-json/
- https://github.com/fabienrenaud/java-json-benchmark
Articles above link to about 20 libraries as Rationale for eliminating some options from the articles above (about 20 libraries in total):
- Related to or derived from Jackson code
- Requires change to compilers and compile-time processes
- Counter-productive to CII Badging criteria, see also https://github.com/coreinfrastructure/best-practices-badge
- Unmaintained in recent years
- Vulnerabilities not addressed
- "Bus factor" too low
- Number of contributors and reviewers too low
Short-list of libraries as reasonable options to be explored, including:
- https://github.com/alibaba/fastjson
- https://github.com/google/gson
- https://github.com/square/moshi
- httphttps://gensongithub.iocom/owlike/genson
Quick CVE comparison:
- https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=fastjson+or+gson+or+moshi+or+genson
- https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=fasterxml+or+jackson
...