SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 63

changes.mady.by.user Will Snavely

Saved on

compared with

New Version 64

changes.mady.by.user Alexandre GIGLEUX

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Deviating from the proper signatures of serialization methods can lead to unexpected behavior. Failure to limit the accessibility of the readObject() and writeObject() methods can leave code vulnerable to untrusted invocations. Declaring readResolve() and writeReplace() methods to be static or private can force subclasses to silently ignore them, while declaring them public allows them to be invoked by untrusted code.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

SER01-J

High

Likely

Low

P27

L1

Automated Detection

Tool
Version
Checker
Description
Coverity7.5UNSAFE_DESERIALIZATIONImplemented
Parasoft Jtest
Include Page
Parasoft_V
Parasoft_V
SERIAL.ROWOImplemented
SonarQube
Include Page
SonarQube_V
SonarQube_V
S2061
 
Custom serialization method signatures should meet requirements

Related Guidelines

MITRE CWE

CWE-502, Deserialization of Untrusted Data

Bibliography

[API 2014]

Class Serializable

[Sun 2006]

Serialization Specification

[Ware 2008]

 

...



...