Serialization (SER)
Rules
- SER00-J. Enable serialization compatibility during class evolution
- SER01-J. Do not deviate from the proper signatures of serialization methods
- SER02-J. Sign then seal objects before sending them outside a trust boundary
- SER03-J. Do not serialize unencrypted sensitive data
- SER04-J. Do not allow serialization and deserialization to bypass the security manager
- SER05-J. Do not serialize instances of inner classes
- SER06-J. Make defensive copies of private mutable components during deserialization
- SER07-J. Do not use the default serialized form for classes with implementation-defined invariants
- SER08-J. Minimize privileges before deserializing from a privileged context
- SER09-J. Do not invoke overridable methods from the readObject() method
- SER10-J. Avoid memory and resource leaks during serialization
- SER11-J. Prevent overwriting of externalizable objects
- SER12-J. Prevent deserialization of untrusted data
Risk Assessment Summary
| Rule | Severity | Likelihood | Detectable | Repairable | Priority | Level |
|---|---|---|---|---|---|---|
| SER00-J | Low | Probable | Yes | Yes | P6 | L2 |
| SER01-J | High | Likely | Yes | No | P18 | L1 |
| SER02-J | Medium | Probable | No | No | P4 | L3 |
| SER03-J | Medium | Likely | No | No | P6 | L2 |
| SER04-J | High | Probable | Yes | Yes | P18 | L1 |
| SER05-J | Medium | Likely | Yes | No | P12 | L1 |
| SER06-J | Low | Probable | Yes | Yes | P6 | L2 |
| SER07-J | Medium | Probable | No | No | P4 | L3 |
| SER08-J | High | Likely | Yes | No | P18 | L1 |
| SER09-J | Low | Probable | Yes | No | P4 | L3 |
| SER10-J | Low | Unlikely | No | No | P1 | L3 |
| SER11-J | Low | Probable | No | No | P2 | L3 |
| SER12-J | High | Likely | No | No | P9 | L2 |
