diff --git a/rules/S1948/java/rule.adoc b/rules/S1948/java/rule.adoc index 3e9648e301f..69d4722f36b 100644 --- a/rules/S1948/java/rule.adoc +++ b/rules/S1948/java/rule.adoc @@ -2,7 +2,7 @@ This rule raises an issue on a non-transient and non-serializable field within a == Why is this an issue? -By contract, fields in a `Serializable` class must themselves be either `Serializable` or `transient`. +By contract, non-static fields in a `Serializable` class must themselves be either `Serializable` or `transient`. Even if the class is never explicitly serialized or deserialized, it is not safe to assume that this cannot happen. For instance, under load, most J2EE application frameworks flush objects to disk. @@ -94,6 +94,19 @@ public class Person implements Serializable { } ---- +Finally, static fields are out of scope for serialization, so making a field static prevents issues from being raised. + +[source,java] +---- +public class Person implements Serializable { + private static final long serialVersionUID = 1905122041950251207L; + + private String name; + + private static Logger log = getLogger(); // Compliant, static fields are not serialized +} +---- + == Resources * CWE - https://cwe.mitre.org/data/definitions/594[CWE-594 - Saving Unserializable Objects to Disk]