• CodeQL query help documentation »
• CodeQL query help for Java and Kotlin »

Incorrect serialVersionUID field

ID: java/incorrect-serial-version-uid
Kind: problem
Security severity: 
Severity: warning
Precision: medium
Tags:
   - quality
   - reliability
   - correctness
Query suites:
   - java-security-and-quality.qls

Click to see the query in the CodeQL repository

A serializable class that uses the serialVersionUID field to act as an object version number must declare the field to be final, static, and of type long for it to be used by the Java serialization framework.

Recommendation

Make sure that the serialVersionUID field in a serialized class is final, static, and of type long.

Example

In the following example, WrongNote defines serialVersionUID using the wrong type, so that it is not used by the Java serialization framework. However, Note defines it correctly so that it is used by the framework.

class WrongNote implements Serializable {
	// BAD: serialVersionUID must be static, final, and 'long'
	private static final int serialVersionUID = 1;
	
	//...
}

class Note implements Serializable {
	// GOOD: serialVersionUID is of the correct type
	private static final long serialVersionUID = 1L;
}

References

• Java API Specification: Serializable.

• JavaWorld: Ensure proper version control for serialized objects.

• © GitHub, Inc.
• Terms
• Privacy