Page History

...

Deviating from the proper signatures of serialization methods can lead to unexpected behavior. Failure to limit the accessibility of the readObject() and writeObject() methods can leave code vulnerable to untrusted invocations. Declaring readResolve() and writeReplace() methods to be static or private can force subclasses to silently ignore them, while declaring them public allows them to be invoked by untrusted code.

Rule	Severity	Likelihood	Remediation Cost	Priority	Level
SER01-J	High	Likely	Low	P27	L1

Automated Detection

Tool

Version

Checker

Description

CodeSonar

Include Page

	CodeSonar_V
	CodeSonar_V

JAVA.CLASS.SER.ND

Serialization Not Disabled (Java)

Coverity

7.5

UNSAFE_DESERIALIZATION

Implemented

Parasoft Jtest

9.5SERIAL.ROWOImplementedSonarQube Java Plugin

Include Page

	Parasoft_V
	Parasoft_V

CERT.SER01.ROWO

Ensure that the 'readObject()' and 'writeObject()' methods have the correct signature

PVS-Studio

Include Page

	PVS-Studio_V
	PVS-Studio_V

V6075

SonarQube

Include Page

	SonarQube

Java Plugin

_V
	SonarQube

Java Plugin

_V

S2061

Implemented

Custom serialization method signatu res should meet requirements

Related Guidelines

MITRE CWE

CWE-502, Deserialization of Untrusted Data

Bibliography

[API 2014]	Class `Serializable`
[Sun 2006]	Serialization Specification
[Ware 2008]

...

Image Modified Image Modified Image Modified

Space shortcuts

Page tree

Versions Compared

Old Version 59

New Version Current

Key

Automated Detection

Related Guidelines

Bibliography