枚举的字段是否必须是可序列化的?

2022-01-17 00:00:00 sonarqube java

我正在通过 SonarQube 5.1 版分析 Java SE 7 项目.

I'm analyzing Java SE 7 project by SonarQube version 5.1.

然后,我在下面的代码中遇到了 squid:S1948.

Then, I faced squid:S1948 on below code.

可序列化"类中的字段应该是瞬态的或可序列化的

可序列化类中的字段本身必须是可序列化或瞬态的,即使该类从未显式序列化或反序列化.这是因为在负载情况下,大多数 J2EE 应用程序框架会将对象刷新到磁盘,并且据称具有非瞬态、不可序列化数据成员的可序列化对象可能会导致程序崩溃,并为攻击者打开大门.

Fields in a Serializable class must themselves be either Serializable or transient even if the class is never explicitly serialized or deserialized. That's because under load, most J2EE application frameworks flush objects to disk, and an allegedly Serializable object with non-transient, non-serializable data members could cause program crashes, and open the door to attackers.

enum ShutterSpeed {
   private final Rational value; // Make "value" transient or serializable.
   ...
}

我认为任何枚举字段都不会在 J2SE 5.0 中被序列化(枚举常量的序列化)

I think that any enum fields won't be serialized in J2SE 5.0 (Serialization of Enum Constants)

这是误报吗?

完整的代码和问题在这里.

推荐答案

其实是误报.枚举常量的序列化(你've提供了一个链接)说:

It is actually a false-positive. The Serialization of Enum Constants (which you've provided a link to) says that:

枚举常量的序列化方式与普通可序列化不同或可外化的对象.枚举常量的序列化形式仅由其名称组成;常量的字段值不是出现在表格中.

Enum constants are serialized differently than ordinary serializable or externalizable objects. The serialized form of an enum constant consists solely of its name; field values of the constant are not present in the form.

在我看来,将 Enum 的字段值标记为 transient 或让它们实现 Serializable 是没有意义的,因为它们永远不会被序列化,无论它们是标记为 transient 还是实现 Serializable.

As I see it, it doesn't make sense to mark Enum's field values as transient or make them implement Serializable, since they'll never get serialized, no matter if they're marked as transient or implement Serializable.

如果该分析工具迫使您做这两件事中的一件,那么您将编写无用的代码.如果我是你,我会尝试禁用 enums 的警告.

If that analyzing tool forces you to do one of these two things, then you'll be writing useless code. If I were you, I'd try to disable that warning for enums.

相关文章