SonarSource Rules
  • Products

    In-IDE

    Code Quality and Security in your IDE with SonarQube Ide

    IDE extension that lets you fix coding issues before they exist!

    Discover SonarQube for IDE

    SaaS

    Code Quality and Security in the cloud with SonarQube Cloud

    Setup is effortless and analysis is automatic for most languages

    Discover SonarQube Cloud

    Self-Hosted

    Code Quality and Security Self-Hosted with SonarQube Server

    Fast, accurate analysis; enterprise scalability

    Discover SonarQube Server
  • SecretsSecrets
  • ABAPABAP
  • AnsibleAnsible
  • ApexApex
  • AzureResourceManagerAzureResourceManager
  • CC
  • C#C#
  • C++C++
  • CloudFormationCloudFormation
  • COBOLCOBOL
  • CSSCSS
  • DartDart
  • DockerDocker
  • FlexFlex
  • GitHub ActionsGitHub Actions
  • GoGo
  • HTMLHTML
  • JavaJava
  • JavaScriptJavaScript
  • JSONJSON
  • JCLJCL
  • KotlinKotlin
  • KubernetesKubernetes
  • Objective CObjective C
  • PHPPHP
  • PL/IPL/I
  • PL/SQLPL/SQL
  • PythonPython
  • RPGRPG
  • RubyRuby
  • RustRust
  • ScalaScala
  • ShellShell
  • SwiftSwift
  • TerraformTerraform
  • TextText
  • TypeScriptTypeScript
  • T-SQLT-SQL
  • VB.NETVB.NET
  • VB6VB6
  • XMLXML
  • YAMLYAML
Java

Java static code analysis

Unique rules to find Bugs, Vulnerabilities, Security Hotspots, and Code Smells in your JAVA code

  • All rules 733
  • Vulnerability60
  • Bug175
  • Security Hotspot40
  • Code Smell458

  • Quick Fix 65
Filtered: 11 rules found
serialization
    Impact
      Clean code attribute
        1. "serialVersionUID" should not be declared blindly

           Code Smell
        2. Value-based objects should not be serialized

           Code Smell
        3. Files opened in append mode should not be used with "ObjectOutputStream"

           Bug
        4. "writeObject" argument must implement "Serializable"

           Bug
        5. "Serializable" inner classes of non-serializable outer classes should be "static"

           Bug
        6. Fields in non-serializable classes should not be "transient"

           Code Smell
        7. Comparators should be "Serializable"

           Code Smell
        8. "Serializable" inner classes of "Serializable" classes should be static

           Code Smell
        9. "Serializable" classes should have a "serialVersionUID"

           Code Smell
        10. The non-serializable super class of a "Serializable" class should have a no-argument constructor

           Bug
        11. Fields in a "Serializable" class should either be transient or serializable

           Code Smell

        Fields in a "Serializable" class should either be transient or serializable

        intentionality - logical
        maintainability
        Code Smell
        • cwe
        • serialization

        This rule raises an issue on a non-transient and non-serializable field within a serializable class, if said class does not have writeObject and readObject methods defined.

        Why is this an issue?

        How can I fix it?

        More Info

        By contract, non-static fields in a Serializable class must themselves be either Serializable or transient. Even if the class is never explicitly serialized or deserialized, it is not safe to assume that this cannot happen. For instance, under load, most J2EE application frameworks flush objects to disk.

        An object that implements Serializable but contains non-transient, non-serializable data members (and thus violates the contract) could cause application crashes and open the door to attackers. In general, a Serializable class is expected to fulfil its contract and not exhibit unexpected behaviour when an instance is serialized.

        This rule raises an issue on:

        • Non-Serializable fields.
        • When a field is assigned a non-Serializable type within the class.
        • Collection fields when they are not private. Values that are not serializable could be added to these collections externally. Due to type erasure, it cannot be guaranteed that the collection will only contain serializable objects at runtime despite being declared as a collection of serializable types.
          Available In:
        • SonarQube IdeCatch issues on the fly,
          in your IDE
        • SonarQube CloudDetect issues in your GitHub, Azure DevOps Services, Bitbucket Cloud, GitLab repositories
        • SonarQube Community BuildAnalyze code in your
          on-premise CI
          Available Since
          9.1
        • SonarQube ServerAnalyze code in your
          on-premise CI
          Developer Edition
          Available Since
          9.1

        © 2008-2025 SonarSource SA. All rights reserved.

        Privacy Policy | Cookie Policy | Terms of Use