SV.SERIAL.NON

SV.SERIAL.NON occurs when a class implements a Serializable interface. JVM would not have control over the eventual deserialization of the objects.

Vulnerability and risk

When an object is serialized, it is outside the control of the Java Runtime Environment and, therefore, outside control of the security provided by Java. While implementing a serialization of the data is not an issue, the eventual deserialization of objects that are outside of JVM control poses a risk. Risk level is determined by organization policy.

Klocwork security vulnerability (SV) checkers identify calls that create potentially dangerous data; these calls are considered unsafe sources. An unsafe source can be any data provided by the user, since the user could be an attacker or has the potential for introducing human error.

Mitigation and prevention

Avoid implementing Serializable unless necessary. If you do implement Serializable, use transient for fields that contain handles to system resources or information relative to an address space.

Example 1

Copy

 public class SV_SERIAL_NON_Sample_1 implements Serializable {
 }

SV.SERIAL.NON is reported for class 'SV_SERIAL_NON_Sample_1', which implements 'java.io.Serializable'.

External guidance

OWASP A8:2017 Insecure Deserialization

Security training

Application security training materials provided by Secure Code Warrior.

Insecure Deserialization Training Video - Test your skills with a training example