Your work on this task will help a lot of people!
Let me point some comments
1 - Please take a look at http://www.apache.org/legal/3party.html. There is a list of authorized licenses to use.
If you find some good library with a different kind of license we can try to determine if it is compatible of not.
2 - The first idea is to populate already used modsecurity collections ARGS, ARGS_NAMES etc. However we can discuss if necessary some additional collection for example JSON_*. Use ARGS* collection will make user's life easier to apply the current ruleset against JSON data.
3 - This is a good question. Currenlty we don't have exact numbers to make it. But we must keep in mind we don't want to add too much latency into http transactions. So we always try to work in a small range of microseconds. As you said, you can try to generate compatible dataset and compare the performance numbers.
4 - This is fine to discuss it here. Once we have defined what to do you can document it in the Jira ticket.
As my first attempt in contributing to mod_security I've decided to
tackle MODSEC-253, a JSON body processor. I've gone through the XML
and multipart body processors and found them apparently
straightforward. I would like some pointers on issues which I need to
address before deciding on my solution, though.
1. The XML body processor uses libxml for the actual XML parsing, I
assume adding a JSON parser library would be acceptable as well. If
so, what licenses would be acceptable?
2. XML processor offers a XPath interface for rules to match XML
contents, which is a standard, but AFAIK there is nothing equivalent
interface would work best for the rules to gain access to the JSON
3. Are there any guidelines/rules regarding memory usage and
performance, i.e., how can if my code or the library I'm using is
performing acceptably? I know I can always benchmark/profile other
body processors and compare the results directly, but I'm looking more
towards hard numbers, if they're available.
4. Finally, do these kind of questions go into JIRA? I decided to try
the mailing list first as I did not want to add possibly irrelevant
information to the JIRA issue, but I think at least items  and 
should be registered there -- is that how it usually works?
Thanks a lot for the great work on mod_security
“If debugging is the process of removing software bugs, then
programming must be the process of putting them in.” - Edsger Dijkstra
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
mod-security-developers mailing list
ModSecurity Services from Trustwave's SpiderLabs: