-
Notifications
You must be signed in to change notification settings - Fork 2k
Expand file tree
/
Copy pathMissingVoidConstructorsOnSerializable.ql
More file actions
40 lines (38 loc) · 1.42 KB
/
MissingVoidConstructorsOnSerializable.ql
File metadata and controls
40 lines (38 loc) · 1.42 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
/**
* @name Serializable but no void constructor
* @description A non-serializable, immediate superclass of a serializable class that does not
* itself declare an accessible, no-argument constructor causes deserialization to
* fail.
* @kind problem
* @problem.severity warning
* @precision medium
* @id java/missing-no-arg-constructor-on-serializable
* @tags reliability
* maintainability
* language-features
*/
import java
from Class serial, Class nonserial, TypeSerializable serializable
where
serial.hasSupertype(nonserial) and
serial.hasSupertype+(serializable) and
not nonserial.hasSupertype+(serializable) and
not exists(Constructor c |
c = nonserial.getSourceDeclaration().getAConstructor() and
c.hasNoParameters() and
not c.isPrivate()
) and
// Assume if an object replaces itself prior to serialization,
// then it is unlikely to be directly deserialized.
// That means it won't need to comply with default serialization rules,
// such as non-serializable super-classes having a no-argument constructor.
not exists(Method m |
m = serial.getAMethod() and
m.hasName("writeReplace") and
m.getReturnType() instanceof TypeObject and
m.hasNoParameters()
) and
serial.fromSource()
select serial,
"This class is serializable, but its non-serializable " +
"super-class $@ does not declare a no-argument constructor.", nonserial, nonserial.getName()