codeql/java/ql/src/Likely Bugs/Concurrency/SynchWriteObject.ql at main · github/codeql · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
/**
 * @name Inconsistent synchronization for writeObject()
 * @description Classes with a synchronized 'writeObject' method but no other
 *              synchronized methods usually lack a sufficient level of synchronization.
 * @kind problem
 * @problem.severity warning
 * @precision medium
 * @id java/inconsistent-sync-writeobject
 * @tags quality
 *       reliability
 *       correctness
 *       concurrency
 *       external/cwe/cwe-662
 */

import java

from Method m
where
  m.getDeclaringType().getAnAncestor() instanceof TypeSerializable and
  m.hasName("writeObject") and
  m.getNumberOfParameters() = 1 and
  m.getAParamType() instanceof TypeObjectOutputStream and
  m.isSynchronized() and
  not exists(Method s |
    m.getDeclaringType().inherits(s) and
    s.isSynchronized() and
    s != m
  )
select m, "Class's writeObject() method is synchronized but nothing else is."