Issue Description
As of Jakarta EE 9, the namespace for Java EE APIs has shifted from javax.* to jakarta.*. This change impacts applications deployed on Jakarta EE 9+ compatible servers like Tomcat 10, which exclusively support Jakarta namespaces.
Currently, DependencyCheck relies on javax.json (e.g., javax.json.Json), which is incompatible with Jakarta EE 9+ environments. Consequently, embedding DependencyCheck in applications deployed on Jakarta EE 9+ (e.g., as part of a WAR deployed on Tomcat 10) leads to runtime conflicts.
Proposed Change
We propose migrating from javax.json to jakarta.json (e.g., using the dependency jakarta.json:jakarta.json-api), which aligns with Jakarta EE 9+ specifications. This change ensures that DependencyCheck remains compatible with modern Java EE servers and avoids potential namespace conflicts.
Rationale
- Compatibility with Jakarta EE 9+: Jakarta EE 9+ servers such as Tomcat 10 exclusively support the jakarta.* namespace.
- Wider Adoption of Jakarta EE 9+: Many organizations are transitioning their applications to Jakarta EE 9+ and require compatible libraries.
- Seamless Integration in Modern Environments: Applications embedding DependencyCheck in Jakarta-based environments (e.g., via a WAR) can do so without modifications or workarounds.
Impact
The change should have minimal impact on current users who do not rely on Jakarta EE, as the functionality remains the same. Testing and verification can ensure a smooth transition.
Additional Context
We encountered this issue while embedding DependencyCheck in a WAR file deployed on Tomcat 10. Without this migration, the application fails to run due to namespace conflicts between javax.* and jakarta.*.
Issue Description
As of Jakarta EE 9, the namespace for Java EE APIs has shifted from javax.* to jakarta.*. This change impacts applications deployed on Jakarta EE 9+ compatible servers like Tomcat 10, which exclusively support Jakarta namespaces.
Currently, DependencyCheck relies on javax.json (e.g., javax.json.Json), which is incompatible with Jakarta EE 9+ environments. Consequently, embedding DependencyCheck in applications deployed on Jakarta EE 9+ (e.g., as part of a WAR deployed on Tomcat 10) leads to runtime conflicts.
Proposed Change
We propose migrating from javax.json to jakarta.json (e.g., using the dependency jakarta.json:jakarta.json-api), which aligns with Jakarta EE 9+ specifications. This change ensures that DependencyCheck remains compatible with modern Java EE servers and avoids potential namespace conflicts.
Rationale
Impact
The change should have minimal impact on current users who do not rely on Jakarta EE, as the functionality remains the same. Testing and verification can ensure a smooth transition.
Additional Context
We encountered this issue while embedding DependencyCheck in a WAR file deployed on Tomcat 10. Without this migration, the application fails to run due to namespace conflicts between javax.* and jakarta.*.