...
In the absence of sensitive data, a class can be serialized by implementing the java.io.Serializable interface. By doing so, the class indicates that no security issues may result from the object's serialization. Note that any derived sub classes also inherit this interface and are therefore consequently serializable.
When serialization is unavoidable, it is still possible to have classes that cannot implement serializable. This condition is common when there are references to non-serializable objects within the contained methods. The following compliant solution avoids this issue and also protects sensitive data members from getting serialized accidentally. The basic idea is to declare the target member as transient so that it is not included in the list of fields to be serialized, whenever default serialization is being used.
...
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
FIO32 SER30- J | medium | likely | high | P6 | L2 |
Automated Detection
...