SV.SERIAL.NOWRITE
SV.SERIAL.NOWRITE is reported for a class when this class directly or indirectly implements 'java.io.Serializable' interface but does not define method 'private void writeObject(java.io.ObjectOutputStream out) throws IOException'.
Vulnerability and risk
If a class does not implement the 'writeObject' method with the correct signature, the default serialization provided by 'defaultWriteObject' will be used. An attacker can serialize your objects into a byte array that can be read. This will allow the attacker to inspect the full internal state of your object.
Klocwork security vulnerability (SV) checkers identify calls that create potentially dangerous data; these calls are considered unsafe sources. An unsafe source can be any data provided by the user, since the user could be an attacker or has the potential for introducing human error.
Mitigation and prevention
Implement method 'private void writeObject(java.io.ObjectOutputStream out) throws IOException'.
Example 1
public class SV_SERIAL_Sample_1 implements Serializable {
public static void main(String[] args)
{
System.out.println("Hello World!");
}
}
SV.SERIAL.NOWRITE is reported for class 'SV_SERIAL_Sample_1' declaration on line 5.
Related checkers
External guidance
Security training
Application security training materials provided by Secure Code Warrior.