FP when adding Serializable Record to a session

Qube version: 25.6.0

I have a record like this:

public record R(String s) implements Serializable {}

Adding an instance r of R to the session attributes like this

session.setAttribute( "r", r );

results in an FP complaining about R not being Serializable, which it is.

Looks like the rule doesn’t recognize serializable records.

Hey there.

I’ve moved your post to the section on reporting false-positives.

Can you add what Rule ID is affected here?

Thanks, Colin. It’s been a while since I last reported something here.

The rule is java:S2441.

Thanks @mfroehlich and good to see you :slight_smile:

I see nothing in our backlog about this so I’ve flagged it for attention.

Hi Marvin,

I could not reproduce the FP. Could you please include a small, self-containtained code snippet where you experience FP?

public class A
{
    public static record R( String foo, Boolean bar ) implements Serializable {}
    
    private HttpSession session = ...;
    
    public void x()
    {
        R r = new R( "foo", true );
        
        session.setAttribute( "foo", r ); // FP
    }
}

This is quite close to my actual code.

Thank you for the example! I was able to reproduce the problem and have created a ticket: SONARJAVA-5697.

I noticed the FP only appears when Serializable is unavailable. This might suggest an issue with your configuration. However, the analysis shouldn’t produce FPs even under these circumstances.

Hi Tomasz,

thank you very much.

How can Serializable be unavailable? It is a basic JDK class. Or did I misunderstand something?

After updating to Qube 25.7.0.110598 the issue is definitely fixed. Thank you very much.

Hi Marvin,

Serializable is a basic JDK class, but it may not be recognized if the scanner is not configured correctly or if there is a missing import while working in the IDE.

I’m not sure what went wrong initially, but I’m glad the issue is resolved.