...
Using the default serialized form for any class with implementation-defined invariants may result in the malicious tampering of class invariants.
Rule | Severity | Likelihood | Detectable | RepairableRemediation Cost | Priority | Level |
|---|---|---|---|---|---|---|
SER07-J | Medium | Probable | No | HighNo | P4 | L3 |
Automated Detection
Tool | Version | Checker | Description | ||||||
|---|---|---|---|---|---|---|---|---|---|
| CodeSonar |
| JAVA.CLASS.SER.ND | Serialization Not Disabled (Java)not disabled | ||||||
| Coverity | 7.5 | UNSAFE_DESERIALIZATION | Implemented | ||||||
| Parasoft Jtest |
| CERT.SER07.RRSC | Define a "readResolve" method for all instances of Serializable types |
...