FP in squid:S1948 (Fields in a "Serializable" class should either be transient or serializable)

[guido...@1und1.de]

Hello everybody,

I think the Rule squid:S1948 should not raise an issue for the following example:

public class MyTestSerializableFields implements Serializable {

    private static final long serialVersionUID = 1L;

    /**
    * Map with Maps with serializable datatypes
    */
    // squid:S1948 is NOT ok(!) because it's private
    // squid:S1948 -  Fields in a "Serializable" class should either be transient or serializable"
    private final Map<String, Map<Locale, String>> finalPrivateMapWithMap = new HashMap<String, Map<Locale, String>>();

    /**
    * Map with Lists with serializable datatype
    */
    // squid:S1948 is NOT ok(!) because it's private
    // squid:S1948 -  Fields in a "Serializable" class should either be transient or serializable"
    private final Map<String, List<String>> finalPrivateMapWithList = new HashMap<String, List<String>>();

    public Map<String, Map<Locale, String>> getFinalPrivateMapWithMap() {
        return finalPrivateMapWithMap;
    }

    public Map<String, List<String>> getFinalPrivateMapWithList() {
        return finalPrivateMapWithList;
    }
}

All types are serializable and especially for Collections/Maps the fields are private. No 'setters' are present to set any unserializable data.

Is it possible to remove that false positive from that rule?

Our Setup is SonarQube Version 5.3 and Java 3.12. Also tested wit SonarQube 5.3 and Java 3.13.1.

Regards,
Guido

[Victor Noël]

Hi,

I already met this one: the problem is that you can put in your map some maps or List that are not Serializable!

If I do getFinalPrivateMapWithList().put("a", new NonSerializableList<String>());

I break the contract!

[guido...@1und1.de]

Hi Victor,

thank you for your fast answer. What is in your opinion the best way of defining serializable Maps and Lists/Collections (for an API for example)?

Regards,
Guido

[Victor Noël]

I have no idea… maybe do not give a direct access to the collections (and provide an API that modifies them)?

[spe...@intralinks.com]

I have 2 occurrences of this in my codebase, but I'm not using collection classes in my case:

public interface Foo extends Serializable {
 ...
}

public class MyException extends Exception {
  private final Foo foo;
  ^^^^^^^^^^^^^^^^^^^^^^---------------------------------------
  | Make "errorType" transient or serializable. (squid:S1948) |
  -------------------------------------------------------------

    public MyException(Foo foo) {
      this.foo = foo;
  }
}

The java.lang.Exception class, of course, also extends Serializable.

We're using SonarQube 5.1.

Thanks,
Sam

[Tibor Blenessy]

Hello,

I am unable to reproduce the case you are describing using the latest version of SonarJava analyzer. If possible try to upgrade to the latest version (4.4. at the moment). Also make sure that full classpath is provided to the analyzer, otherwise the analysis can fail when there are unresolved symbols in the code. 

Best regards

--
You received this message because you are subscribed to the Google Groups "SonarQube" group.
To unsubscribe from this group and stop receiving emails from it, send an email to sonarqube+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/sonarqube/8579b9d3-f5d0-4b0a-9ea1-3f028037f4c6%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Tibor BLENESSY | SonarSource

Software Engineer

http://sonarsource.com