public class A
{
public static record R( String foo, Boolean bar ) implements Serializable {}
private HttpSession session = ...;
public void x()
{
R r = new R( "foo", true );
session.setAttribute( "foo", r ); // FP
}
}
Thank you for the example! I was able to reproduce the problem and have created a ticket: SONARJAVA-5697.
I noticed the FP only appears when Serializable is unavailable. This might suggest an issue with your configuration. However, the analysis shouldn’t produce FPs even under these circumstances.
Serializable is a basic JDK class, but it may not be recognized if the scanner is not configured correctly or if there is a missing import while working in the IDE.
I’m not sure what went wrong initially, but I’m glad the issue is resolved.