Modify rule S1948: clarify that only non-static fields are serialized.

SonarSource · Dec 4, 2024 · fb114f2 · fb114f2
1 parent 485be38
commit fb114f2
Showing 1 changed file with 14 additions and 1 deletion.
diff --git a/rules/S1948/java/rule.adoc b/rules/S1948/java/rule.adoc
@@ -2,7 +2,7 @@ This rule raises an issue on a non-transient and non-serializable field within a
 
 == Why is this an issue?
 
-By contract, fields in a `Serializable` class must themselves be either `Serializable` or `transient`.
+By contract, non-static fields in a `Serializable` class must themselves be either `Serializable` or `transient`.
 Even if the class is never explicitly serialized or deserialized, it is not safe to assume that this cannot happen.
 For instance, under load, most J2EE application frameworks flush objects to disk.
 
@@ -94,6 +94,19 @@ public class Person implements Serializable {
 }
 ----
 
+Finally, static fields are out of scope for serialization, so making a field static prevents issues from being raised.
+
+[source,java]
+----
+public class Person implements Serializable {
+  private static final long serialVersionUID = 1905122041950251207L;
+
+  private String name;
+
+  private static Logger log = getLogger(); // Compliant, static fields are not serialized
+}
+----
+
 == Resources
 
 * CWE - https://cwe.mitre.org/data/definitions/594[CWE-594 - Saving Unserializable Objects to Disk]