Uploaded image for project: 'Rules Repository'
  1. Rules Repository
  2. RSPEC-1948

Fields in a "Serializable" class should either be transient or serializable

    XMLWordPrintable

    Details

    • Type: Code Smell Detection
    • Status: Active
    • Resolution: Unresolved
    • Labels:
    • Message:
      Make "xxx" transient or serializable.
    • Default Severity:
      Critical
    • Impact:
      High
    • Likelihood:
      Low
    • Default Quality Profiles:
      Sonar way
    • Covered Languages:
      Java
    • Irrelevant for Languages:
      C#
    • Remediation Function:
      Constant/Issue
    • Constant Cost:
      30min
    • Analysis Scope:
      Main Sources, Test Sources
    • CWE:
      CWE-594
    • FindBugs:
      SE_BAD_FIELD
    • FxCop:
      MarkAllNonSerializableFields
    • MSFT Roslyn:
      CA2235
    • PMD:
      BeanMembersShouldSerialize

      Description

      Fields in a Serializable class must themselves be either Serializable or transient even if the class is never explicitly serialized or deserialized. For instance, under load, most J2EE application frameworks flush objects to disk, and an allegedly Serializable object with non-transient, non-serializable data members could cause program crashes, and open the door to attackers. In general a Serializable class is expected to fulfil its contract and not have an unexpected behaviour when an instance is serialized.

      This rule raises an issue on non-Serializable fields, and on collection fields when they are not private (because they could be assigned non-Serializable values externally), and when they are assigned non-Serializable types within the class.

      Noncompliant Code Example

      public class Address {
        //...
      }
      
      public class Person implements Serializable {
        private static final long serialVersionUID = 1905122041950251207L;
      
        private String name;
        private Address address;  // Noncompliant; Address isn't serializable
      }
      

      Compliant Solution

      public class Address implements Serializable {
        private static final long serialVersionUID = 2405172041950251807L;
      }
      
      public class Person implements Serializable {
        private static final long serialVersionUID = 1905122041950251207L;
      
        private String name;
        private Address address;
      }
      

      Exceptions

      The alternative to making all members serializable or transient is to implement special methods which take on the responsibility of properly serializing and de-serializing the object. This rule ignores classes which implement the following methods:

       private void writeObject(java.io.ObjectOutputStream out)
           throws IOException
       private void readObject(java.io.ObjectInputStream in)
           throws IOException, ClassNotFoundException;
      

      See

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              ann.campbell.2 Ann Campbell
              Votes:
              1 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated: