Java S4544 @JsonTypeInfo on Interface

is there a reason for S4544 (Using unsafe Jackson deserialization configuration is security-sensitive: Rules explorer) to be triggered only on classes and not interfaces when using @JsonTypeInfo ? In my project, I see that the security hotspot is reported only for classes, not interfaces. Looking at the sonar java source code, I see:

  return modifiers.parent().is(Tree.Kind.CLASS, Tree.Kind.VARIABLE);

as far as I understand, interfaces have the same threat model as classes. (as opposed to records or enums which don’t have polymorphism)


After a quick review, we believe you are right and created this ticket: SONARJAVA-4055.

As you look familiar with our code, don’t hesitate to raise a PR to fix the False-Negative.


This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.