From fb114f2b966287328073f0725925fc74386e6185 Mon Sep 17 00:00:00 2001 From: Tomasz Tylenda Date: Wed, 4 Dec 2024 12:11:59 +0100 Subject: [PATCH] Modify rule S1948: clarify that only non-static fields are serialized. --- rules/S1948/java/rule.adoc | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/rules/S1948/java/rule.adoc b/rules/S1948/java/rule.adoc index 3e9648e301f..69d4722f36b 100644 --- a/rules/S1948/java/rule.adoc +++ b/rules/S1948/java/rule.adoc @@ -2,7 +2,7 @@ This rule raises an issue on a non-transient and non-serializable field within a == Why is this an issue? -By contract, fields in a `Serializable` class must themselves be either `Serializable` or `transient`. +By contract, non-static fields in a `Serializable` class must themselves be either `Serializable` or `transient`. Even if the class is never explicitly serialized or deserialized, it is not safe to assume that this cannot happen. For instance, under load, most J2EE application frameworks flush objects to disk. @@ -94,6 +94,19 @@ public class Person implements Serializable { } ---- +Finally, static fields are out of scope for serialization, so making a field static prevents issues from being raised. + +[source,java] +---- +public class Person implements Serializable { + private static final long serialVersionUID = 1905122041950251207L; + + private String name; + + private static Logger log = getLogger(); // Compliant, static fields are not serialized +} +---- + == Resources * CWE - https://cwe.mitre.org/data/definitions/594[CWE-594 - Saving Unserializable Objects to Disk]