JAVA.CLASS.SER.ND : Serialization Not Disabled (Java)

JavaScript is not currently enabled, but is required for full CodeSonar manual search and browse functionality.

If you are viewing this file in your hub's Web GUI, enable JavaScript in your browser: you will also need it for GUI functionality.

If you opened this file directly from disk, your browser may be directly suppressing JavaScript functionality: certain browsers perform this suppression on local files (but not files delivered by web servers) for security reasons.

If you access the manual through the hub's Web GUI, the functionality will not be suppressed because the hub is a web server.
Alternatively, your browser may allow you to explicitly disable the security setting that suppresses functionality. See the CodeSonar FAQ for more information.

Serialization for a class has not been explicitly disabled by defining a writeObject() method that always throws an exception.

Class Name

Serialization Not Disabled (Java)

Significance

reliability

Mnemonic

JAVA.CLASS.SER.ND

Categories

CWE	CWE:499	Serializable Class Containing Sensitive Data
	CWE:502	Deserialization of Untrusted Data
CERT-Java	CERT-Java:SER01-J	Do not deviate from the proper signatures of serialization methods
	CERT-Java:SER03-J	Do not serialize unencrypted sensitive data
	CERT-Java:SER06-J	Make defensive copies of private mutable components during deserialization
	CERT-Java:SER07-J	Do not use the default serialized form for classes with implementation-defined invariants
	CERT-Java:SER12-J	Prevent deserialization of untrusted data

Availability

Available for Java only.

Enabling

Checks for this warning class are disabled by default. To enable them, add the following WARNING_FILTER rule to the project configuration file.

WARNING_FILTER += allow class="Serialization Not Disabled (Java)"

In the following code excerpt, class MyWindow is serializable (because it extends serializable class JFrame).

However, the programmer has annotated the class with @SuppressWarnings("serial"), suppressing any compiler warnings about the missing serialVersionUID field. CodeSonar observes this suppression and reasons that the programmer does not intend the class to be serialized. However, serialization has not been explicitly disabled.

// MyWindow.java
import javax.swing.JFrame;

@SuppressWarnings("serial")
public class MyWindow extends JFrame {  // "Serialization Not Disabled" warning issued here 
  private final int secret;

  public MyWindow(int secret) {
      this.secret = secret;
  }
}

In this example, the programmer should explicitly prevent serialization of class MyWindow, as follows.

// MyWindow.java, after modification
import java.io.ObjectOutputStream;
import javax.swing.JFrame;

@SuppressWarnings("serial")
public class MyWindow extends JFrame {
  private final int secret;

  public MyWindow(int secret) {
      this.secret = secret;
  }

  private void writeObject(ObjectOutputStream stream) {
      throw new RuntimeException("Serialization is not allowed");
  }
}

The following configuration file parameters affect checks for this warning class.

JAVA.CLASS.SER.ND : Serialization Not Disabled (Java)

Summary

Properties

Example

Relevant Configuration File Parameters