SV.SERIAL.SIG
SV.SERIAL.SIG is reported for a class when this class directly or indirectly implements 'java.io.Serializable' interface but the declared method 'readObject' or 'writeObject' has an incorrect signature.
Vulnerability and risk
If a class does not implement 'readObject' and 'writeObject' methods with the correct signature, the default serialization will be used.
Klocwork security vulnerability (SV) checkers identify calls that create potentially dangerous data; these calls are considered unsafe sources. An unsafe source can be any data provided by the user, since the user could be an attacker or has the potential for introducing human error.
Mitigation and prevention
Methods 'readObject' and 'writeObject' should have the following signatures respectively: 'private void writeObject(java.io.ObjectOutputStream out) throws IOException' and 'private void readObject(java.io.ObjectInputStream in) throws IOException, ClassNotFoundException'.
Example 1
public class SV_SERIAL_SIG_Sample_1 implements Serializable {
final void readObject(ObjectInputStream in) {
}
void writeObject(ObjectOutputStream in) throws IOException {
}
}
SV.SERIAL.SIG is reported for class 'SV_SERIAL_SIG_Sample_1' declaration on line 17: method 'writeObject() does not have 'private' modifier. SV.SERIAL.SIG is reported for class 'SV_SERIAL_SIG_Sample_1' declaration on line 14: method 'readObject() does not have 'private' modifier. SV.SERIAL.SIG is reported for class 'SV_SERIAL_SIG_Sample_1' declaration on line 14: method 'readObject() does not declare throwing 'java.io.IOException' and 'java.lang.ClassNotFoundException'.
Related checkers
External guidance
Security training
Application security training materials provided by Secure Code Warrior.