SV.SERIAL.INONSV.SERIAL.INON occurs when an interface extends a Serializable interface. Vulnerability and riskWhen an object is serialized, it is outside the control of the Java Runtime Environment, and therefore, outside control of the security provided by Java. Risk determined by organization policy. Klocwork security vulnerability (SV) checkers identify calls that create potentially dangerous data; these calls are considered unsafe sources. An unsafe source can be any data provided by the user, since the user could be an attacker or has the potential for introducing human error. Mitigation and preventionAvoid implementing Serializable unless necessary. If you do implement Serializable, use transient for fields that contain handles to system resources or information relative to an address space. Example 1
10 public interface SV_SERIAL_INON_Sample_1 extends Serializable {
11 }
SV.SERIAL.INON is reported for interface declaration on line 10: Interface 'SV_SERIAL_INON_Sample_1' extends 'java.io.Serializable'. |