JAVA.SERIALIZE.INNER
Do not serialize instances of inner classes
Vulnerability and risk
Serialization of inner classes is error prone.
Mitigation and prevention
Consider removing the serialization of the inner class or make the inner class static.
Vulnerable code example
Copy
package com.klocwork;
import java.io.Serializable;
public class JAVA_SERIALIZE_INNER_POSITIVE {
public class Inner implements Serializable {
private String field;
}
}Fixed code example
Copy
package com.klocwork;
public class JAVA_SERIALIZE_INNER_NEGATIVE {
public class Inner {
private String field;
}
}