Trustable Compliance Report#
Item status guide#
Each item in a Trustable Graph is scored with a number between 0 and 1. The score represents aggregated organizational confidence in a given Statement, with larger numbers corresponding to higher confidence. Scores in the report are indicated by both a numerical score and the colormap below:
The status of an item and its links also affect the score.
Unreviewed items are indicated by a strikethrough. The score of unreviewed items is always set to zero.
Suspect links are indicated by italics. The contribution to the score of a parent item by a suspiciously linked child is always zero, regardless of the child’s own score.
Compliance for AOU#
This presents the compliance for the Assumptions of Use (AOU) in tabular form.
Item |
Summary |
Score |
|---|---|---|
The integrator shall report problems with nlohmann/json’s implementation to the upstream nlohmann/json project whenever a problem is detected. |
0.00 |
|
The integrator shall ensure that the build environment used for nlohmann/json is supplied with consistent dependencies in every integrating system. |
0.00 |
|
The integrator ensures that integrator-controlled mirrors of the dependencies are persistently and accessibly stored as long as the library nlohmann/json is used. |
0.00 |
|
The integrator shall ensure that exceptions are properly handled or turned off, whenever nlohmann/json is used. |
0.00 |
|
The integrator shall ensure that input is encoded as UTF-8 (as required by RFC8259) and that exceptions thrown in case other string formats are used are properly handled |
0.00 |
|
The integrator shall ensure that brace initialization (e.g. json j{true};) is not used with the types basic_json, json, or ordered_json, unless an object or array is created. |
0.00 |
|
The integrator shall ensure that exceptions, which are expected during parsing with default parameters, are properly handled whenever the input is no valid JSON. |
0.00 |
|
The integrator shall ensure that all necessary source files and built tools are mirrored, e.g. using a built server without internet access, as long as nlohmann/json is actively used. |
0.00 |
|
The integrator shall ensure that advanced warning indicators for misbehaviours are identified, and monitoring mechanisms are specified, verified and validated based on analysis. |
0.00 |
|
The integrator shall evaluate the provided evidence and supplement it where necessary, whenever the trustability documentation of nlohmann/json is reviewed. |
0.00 |
|
The integrator shall ensure that nlohmann/json library is built with tools from the provided matrix specification, whenever nlohmann/json is used. (not yet provided) |
0.00 |
|
The integrator shall maintain mirrors for all code and tools utilized in testing as long as nlohmann/json is actively used. |
0.00 |
|
The integrator shall use C++ versions and compilers that are tested in the CI pipeline, whenever nlohmann/json is used. |
0.00 |
|
The integrator shall identify misbehaviours for nlohmann/json, define appropriate mitigations, and ensure that these mitigations are thoroughly validated, whenever using nlohmann/json. |
0.00 |
|
The integrator shall ensure that monitoring data from deployed software is accurately captured, securely stored, and well-documented for analysis, as long as nlohmann/json is actively used. |
0.00 |
|
The integrator shall analyze monitoring data systematically to detect trends and identify issues, as long as nlohmann/json is actively used. |
0.00 |
|
The integrator shall ensure that the keys within an object are unique, whenever an object is parsed by nlohmann/json. |
0.00 |
|
The integrator shall ensure that a string does not contain escaped unpaired utf-16 surrogate characters, and that exceptions are properly handled, whenever a string is to be parsed by nlohmann/json. |
0.00 |
|
The integrator shall ensure that numbers are written in base 10, and that exceptions and misbehaviours in case that any other base is used are properly handled and mitigated, whenever a number is parsed by nlohmann/json. |
0.00 |
|
The integrator shall ensure that data are complete and error-free, whenever they are transmitted to nlohmann/json. |
0.00 |
|
The integrator shall ensure that the data do not change during reading, whenever transmitted to nlohmann/json. |
0.00 |
|
The integrator shall convince himself that the behaviour of the C++ standard library is known, verified and validated. |
0.00 |
|
The integrator shall convince himself that the misbehaviours of the C++ standard library and mitigations are known, verified and validated. |
0.00 |
|
The integrator shall ensure that ChangeLog.md is updated whenever the local mirror of nlohmann/json is updated. |
0.00 |
Compliance for JLEX#
This presents the compliance for the JSON-Library Expectations (JLEX) in tabular form.
Item |
Summary |
Score |
|---|---|---|
The requirement regarding JSON Validation is fulfilled. |
0.00 |
|
The requirement regarding JSON Deserialization is fulfilled. |
0.00 |
Compliance for JLS#
This presents the compliance for the JSON-Library Statements (JLS) in tabular form.
Item |
Summary |
Score |
|---|---|---|
The nlohmann/json library project CI executes on each pull request (opened, reopened, synchronized) the integration test suite, and failures in these runs are investigated by contributors. |
0.00 |
|
Fuzz testing is used in the original nlohmann/json repository (https://github.com/nlohmann/json) to uncover edge cases and failure modes throughout development. (https://github.com/nlohmann/json/blob/develop/tests/fuzzing.md) |
0.00 |
|
Automated tests are reviewed by a Subject Matter Expert to verify they test the properties they claim to. |
0.00 |
|
External dependencies are checked for potential security vulnerabilities with each pull request to main. Merging is blocked until all warnings are resolved. |
0.00 |
|
The OSS nlohmann/json is widely used, actively maintained and uses github issues to track bugs and misbehaviours. |
0.00 |
|
Changes to the code (main branch) are applied only after code review and passing of all pipelines. |
0.00 |
|
Main branch is protected, i.e. no direct commits are possible. |
0.00 |
|
Each statement is scored based on SME reviews or automatic validation functions. (TODO) |
0.00 |
|
Scores are reasonably, systematically and repeatably accumulated. (TODO) |
0.00 |
|
Every release includes source code, build instructions, tests and attestations. (TODO: Test result summary) |
0.00 |
|
A score based on outstanding, fixed and mitigated faults is calculated based on github issues in nlohmann/json. (TODO) |
0.00 |
|
The S-Core change process management is followed. |
0.00 |
|
The S-Core methodologies are followed. |
0.00 |
|
The builds are repeatable (i.e. different builds lead to the same SHA value). (TODO) |
0.00 |
|
A list of tests, which is extracted from the test execution, is provided, along with a list of test environments. (TODO) |
0.00 |
|
A github workflow calculates the fraction of expectations covered by tests (TODO). |
0.00 |
|
Results from tests are accurately captured. (TODO) |
0.00 |
|
All components, dependencies and tools are listed in a manifest. |
0.00 |
|
A github workflow saves the history of scores in the trustable graph to derive trends. (TODO) |
0.00 |
|
A score is calculated based on the number of mirrored and unmirrored things. (TODO) |
0.00 |
|
The github workflow executes the unit tests daily and saves the results as time-series data. (TODO) |
0.00 |
|
The Eclipse S-CORE organization mirrors the nlohmann/json project in a github fork. |
0.00 |
|
The nlohmann/json library recognizes malformed JSON and returns an exception. |
0.00 |
|
Malicious code changes are mitigated by code reviews, adhering to Eclipse S-core contribution procedures and vigilance from the open-source community. |
0.00 |
|
Pipeline execution results are analyzed in the fork and the original nlohmann/json repository. |
0.00 |
Compliance for NJF#
This presents the compliance for the No JSON Faults (NJF) in tabular form.
Item |
Summary |
Score |
|---|---|---|
The service accepts the literal name null. |
0.00 |
|
The service accepts the literal name true. |
0.00 |
|
The service accepts the literal name false. |
0.00 |
|
The service does not accept any other literal name. |
0.00 |
|
The service accepts and rejects arrays according to RFC8259 §5. |
0.00 |
|
The service accepts the empty array. |
0.00 |
|
The service accepts the non-empty arrays. |
0.00 |
|
If every value candidate of a properly bounded array is accepted as singleton, then the service accepts the array. |
0.00 |
|
The service does not accept any improperly bounded arrays. |
0.00 |
|
The service does not accept arrays with improper values. |
0.00 |
|
The service accepts nested arrays. |
0.00 |
|
The acceptance of nested arrays does not depend on the depth of nesting. |
0.00 |
|
The service does only accept comma as value separator. |
0.00 |
|
The service does accept comma as value separator. |
0.00 |
|
The service does not accept any other value separator. |
0.00 |
|
The service accepts and rejects objects according to RFC8259 §4. |
0.00 |
|
The service accepts the empty object. |
0.00 |
|
The service does not accept improperly bounded objects. |
0.00 |
|
The service accepts the non-empty objects. |
0.00 |
|
The admissible members of an object have the form name : value. |
0.00 |
|
If the service recognises the name candidate as string, then it accepts the name candidate. |
0.00 |
|
The service does not accept any other token as name. |
0.00 |
|
If the service accepts the value-candidate as a singleton, then the value-candidate is accepted. |
0.00 |
|
The service does not accept objects with improper members. |
0.00 |
|
If the service does not accept any name candidate as singleton, then the service does not accept the object candidate. |
0.00 |
|
If the service does not accept any value candidate as singleton, then the service does not accept the object candidate. |
0.00 |
|
The service accept the nested objects. |
0.00 |
|
The acceptance of nested objects does not depend on the depth of nesting. |
0.00 |
|
The service does only accept comma as member separator. |
0.00 |
|
The service accepts comma as member separator. |
0.00 |
|
The service does not accept any other member separator. |
0.00 |
|
The service accepts and rejects strings according to RFC8259 §7. |
0.00 |
|
The service does accept empty string. |
0.00 |
|
The service does not accept the improperly bounded strings. |
0.00 |
|
The service does not accept unescaped control characters. |
0.00 |
|
The service does accept the escaped control characters. |
0.00 |
|
The service accepts UTF-16 surrogate pairs. |
0.00 |
|
The service does accept the non-empty strings. |
0.00 |
|
The service does not accept escaped invalid characters. |
0.00 |
|
The service does not accept single unpaired utf-16 surrogates. |
0.00 |
|
The service does not accept unescaped UTF-16 surrogate pairs. |
0.00 |
|
The service accepts numbers according to RFC8259 §6. |
0.00 |
|
The service does accept integers within the limits of 64-bit double. |
0.00 |
|
The service does accept integers according to IEEE 754 binary64. |
0.00 |
|
The service does not accept NaN, infinity. |
0.00 |
|
The service does accept e or E for numbers with exponent within the bounds of double. |
0.00 |
|
The service does not accept u0415 and u0436 (cyrillic e and E) as exponent signs in numbers with exponent. |
0.00 |
|
The service does not accept invalid syntax for numbers. |
0.00 |
|
The service does accept decimal points in numbers within the bounds of double. |
0.00 |
|
The service does not accept leading zeroes. |
0.00 |
|
The service does not accept any other digit symbol than 0-9. |
0.00 |
|
The service decodes UTF-8 data. |
0.00 |
|
The service rejects malformed UTF-8 data. |
0.00 |
|
The service rejects “overlong sequences”. |
0.00 |
|
The service rejects single escaped and unescaped, and paired unescaped utf-16 surrogates. |
0.00 |
|
The service accepts Non-Characters. |
0.00 |
|
The service accepts well-formed UTF-8 data. |
0.00 |
|
The service accepts JSON data consisting of combinations of the data types. |
0.00 |
|
The service accepts a single complete UTF-8 byte order mark at the beginning of the input only. |
0.00 |
|
If the service accepts an input containing no BOM, then it accepts a single UTF-8 byte order mark followed by that input. |
0.00 |
|
The service does not accept multiple UTF-8 byte order marks. |
0.00 |
|
The service does not accept incomplete or perturbed UTF-8 byte order marks within the first three characters of the input. |
0.00 |
|
The service does not accept UTF-16 and UTF-32 byte order marks instead of the UTF-8 byte order mark. |
0.00 |
|
The service does not accept UTF-8 byte order mark outside of a string and outside of the first three characters of the input. |
0.00 |
Compliance for NPF#
This presents the compliance for the No Parsing Faults (NPF) in tabular form.
Item |
Summary |
Score |
|---|---|---|
The service ignores the presence of a byte order mark. |
0.00 |
|
The service ignores the presence of a single UTF-8 byte order mark at the very beginning of the input. |
0.00 |
|
The service does not parse multiple UTF-8 byte order marks at the beginning of the input and throws an exception. |
0.00 |
|
The service does not parse UTF-8 byte order marks outside of a string and the first three characters of the input, and throws an exception. |
0.00 |
|
The service does not parse UTF-16 and UTF-32 byte order mark instead of an UTF-8 byte order mark, and throws an exception. |
0.00 |
|
The service does not parse partial and perturbed UTF-8 byte order marks within the first three characters of the input and throws an exception. |
0.00 |
|
The service parses numbers according to RFC8259. |
0.00 |
|
The service parses integers without exponent within the precision of int64_t. |
0.00 |
|
The service ignores trailing zeroes after the decimal point. |
0.00 |
|
The service parses numbers within the 64-bit double range but outside of the double precision without throwing an exception. |
0.00 |
|
The service ignores capitalisation of the exponent. |
0.00 |
|
The service parses integers with exponent within the precision of 64-bit double. |
0.00 |
|
The service parses floating point values without exponent within the precision of 64-bit double. |
0.00 |
|
The service parses floating point values with exponent within the precision of 64-bit double. |
0.00 |
|
The service ignores leading zeroes in the exponent. |
0.00 |
|
The service parses integers within IEEE 754-2008 binary64. |
0.00 |
|
The service ignores leading and trailing whitespace. |
0.00 |
|
The service ignores one singular leading plus of the exponent. |
0.00 |
|
The service parses floating point numbers within IEEE 754-2008 binary64 standard. |
0.00 |
|
The service parses strings according to RFC8259. |
0.00 |
|
The service ignores leading and trailing whitespace. |
0.00 |
|
The service parses escaped characters in the basic multilingual plane. |
0.00 |
|
The service ignores capitalisation in escaped hexadecimal unicode. |
0.00 |
|
The service parses all unescaped utf-8 characters except quotation mark, reverse solidus and the control characters. |
0.00 |
|
The service parses \, \/, \b,\f, \n, \r, \t and escaped quotation marks. |
0.00 |
|
The service parses the empty string. |
0.00 |
|
The service parses non-empty strings. |
0.00 |
|
The service parses literal names “true”, “false” and “null” according to RFC8259. |
0.00 |
|
The service ignores leading and trailing whitespace. |
0.00 |
|
The service parses the literal name true. |
0.00 |
|
The service parses the literal name false. |
0.00 |
|
The service parses the literal name null. |
0.00 |
|
The service parses arrays according to RFC8259. |
0.00 |
|
The service ignores leading and trailing whitespace for each value. |
0.00 |
|
The service parses empty arrays. |
0.00 |
|
The service parses non-empty arrays. |
0.00 |
|
The service parses objects according to RFC8259. |
0.00 |
|
The service ignores leading and trailing whitespace for name and value of each member. |
0.00 |
|
The service parses duplicate names without error and reports the last member with that name only. |
0.00 |
|
The service parses empty objects. |
0.00 |
|
The service parses non-empty objects. |
0.00 |
|
The service parses well-formed UTF-8 encoded data only. |
0.00 |
|
The service parses UTF-8 encoded data. |
0.00 |
|
The service throws an exception on ill-formed UTF-8 data. |
0.00 |
Compliance for PJD#
This presents the compliance for the Parse JSON Data (PJD) in tabular form.
Item |
Summary |
Score |
|---|---|---|
The service provides implementations that parses JSON texts, which ignores the presence of a byte order mark rather than treating it as an error. |
0.00 |
|
The service transforms a JSON text into a C++ representation using C++ containers (for arrays and objects) and primitive datatypes (for strings, numbers, boolean, null). |
0.00 |
|
The service parses all texts that conform to the JSON grammar. |
0.00 |
|
The service correctly parses 64-bit integers (exceeding the range defined in RFC8259). |
0.00 |
Compliance for TA#
This presents the compliance for the Trustable Assertions (TA) in tabular form.
Item |
Summary |
Score |
|---|---|---|
Collected data from tests and monitoring of deployed software is analysed according to specified objectives. |
0.00 |
|
Expected or required behaviours for nlohmann/json library are identified, specified, verified and validated based on analysis. |
0.00 |
|
Confidence in nlohmann/json library is measured based on results of analysis. |
0.00 |
|
Constraints on adaptation and deployment of nlohmann/json library are specified. |
0.00 |
|
Data is collected from tests, and from monitoring of deployed software, according to specified objectives. |
0.00 |
|
Known bugs or misbehaviours are analysed and triaged, and critical fixes or mitigations are implemented or applied. |
0.00 |
|
Advanced warning indicators for misbehaviours are identified, and monitoring mechanisms are specified, verified and validated based on analysis. |
0.00 |
|
All inputs to nlohmann/json library are assessed, to identify potential risks and issues. |
0.00 |
|
All constructed iterations of nlohmann/json library include source code, build instructions, tests, results and attestations. |
0.00 |
|
Manual methodologies applied for nlohmann/json library by contributors, and their results, are managed according to specified objectives. |
0.00 |
|
Prohibited misbehaviours for nlohmann/json library are identified, and mitigations are specified, verified and validated based on analysis. |
0.00 |
|
Construction of nlohmann/json library releases is fully repeatable and the results are fully reproducible, with any exceptions documented and justified. |
0.00 |
|
All sources for nlohmann/json library and tools are mirrored in our controlled environment. |
0.00 |
|
All tests for nlohmann/json library, and its build and test environments, are constructed from controlled/mirrored sources and are reproducible, with any exceptions documented. |
0.00 |
|
nlohmann/json library components, configurations and tools are updated under specified change and configuration management controls. |
0.00 |
|
All specified tests are executed repeatedly, under defined conditions in controlled environments, according to specified objectives. |
0.00 |
Compliance for TIJ#
This presents the compliance for the Throw Ill-Formed JSON (TIJ) in tabular form.
Item |
Summary |
Score |
|---|---|---|
The parsing service throws an exception on ill-formed literal names. |
0.00 |
|
The service throws an exception on capitalised literal names. |
0.00 |
|
The service throws an exception on any other than the three literal names true, false, null. |
0.00 |
|
The parsing service throws an exception on ill-formed numbers. |
0.00 |
|
The service throws an exception on leading plus. |
0.00 |
|
The service throws an exception on leading zeroes. |
0.00 |
|
The service throws an exception on NaN, infinity. |
0.00 |
|
The service throws an exception on U+0415 and U+0436 instead of U+0045 or U+0065. |
0.00 |
|
The service throws an exception on invalid number syntax. |
0.00 |
|
The parsing service throws an exception on ill-formed strings. |
0.00 |
|
The service throws an exception on unescaped control characters. |
0.00 |
|
The service throws an exception on unpaired utf-16 surrogates. |
0.00 |
|
The service throws an exception on improperly bounded strings. |
0.00 |
|
The service throws an exception on escaped invalid characters. |
0.00 |
|
The service throws an exception on incorrect surrogate pairs. |
0.00 |
|
The parsing service throws an exception on ill-formed arrays. |
0.00 |
|
The service throws an exception on improperly bounded arrays. |
0.00 |
|
The service throws an exception on improper values within a properly bounded array. |
0.00 |
|
The service throws an exception on improper value separators. |
0.00 |
|
The parsing service throws an exception on ill-formed objects. |
0.00 |
|
The service throws an exception on improperly bounded objects. |
0.00 |
|
The service throws an exception if a non-string is used as name of any member. |
0.00 |
|
The service throws an exception if an improper string is used as name of any member. |
0.00 |
|
The service throws an exception if any member has an improper value. |
0.00 |
|
The service throws an exception on improper member separators. |
0.00 |
|
The service recognises ill-formed byte-order marks and throws an exception. |
0.00 |
Compliance for TRUSTABLE#
This presents the ultimate trustability score for nlohmann/json.
Item |
Summary |
Score |
|---|---|---|
This release of JSON-Library also reffered in the documentation as nlohmann/json library is Trustable. |
0.00 |
Compliance for TT#
This presents the compliance for the Trustable Tenets (TT) in tabular form.
Item |
Summary |
Score |
|---|---|---|
nlohmann/json library is actively maintained, with regular updates to dependencies, and changes are verified to prevent regressions. |
0.00 |
|
Confidence in nlohmann/json library is achieved by measuring and analysing behaviour and evidence over time. |
0.00 |
|
Tools are provided to build nlohmann/json library from trusted sources (also provided) with full reproducibility. |
0.00 |
|
Documentation is provided, specifying what nlohmann/json library is expected to do, and what it must not do, and how this is verified. |
0.00 |
|
All inputs (and attestations for claims) for nlohmann/json library are provided with known provenance. |
0.00 |
|
Evidence is provided to demonstrate that nlohmann/json library does what it is supposed to do, and does not do what it must not do. |
0.00 |
Compliance for WFJ#
This presents the compliance for Well Formed JSON (WFJ) in tabular form.
Item |
Summary |
Score |
|---|---|---|
The service checks the well-formedness of the literal names. |
0.00 |
|
The service checks the well-formedness of strings. |
0.00 |
|
The service checks the well-formedness of numbers. |
0.00 |
|
The service checks the well-formedness of array. |
0.00 |
|
The service checks the well-formedness of objects. |
0.00 |
|
The service checks that a JSON value must be an object, array, number, or string, or one of the lowercase literal names false, null, or true |
0.00 |
|
The service checks that JSON is only serialized using UTF-8. |
0.00 |
|
The service ignores byte order marks. |
0.00 |
Generated for: Software
Repository root: /home/runner/work/json/json
Commit SHA: ef2b50d8112f76c7812b1f77a6c501a358a52756
Commit date/time: Fri Sep 19 12:26:04 2025
Commit tag: ef2b50d