Object deserialization is used in package name - solution does not seem to work

Must-share information (formatted with Markdown):

  • which versions are you using : Sonarqube 9.4
  • what are you trying to achieve:
    On scanning our code, a vulnerability was reported:
    "Object deserialization of untrusted data can lead to remote code execution, if there is a class in classpath that allows the trigger of malicious operation.

Libraries developers tend to fix class that provided potential malicious trigger. There are still classes that are known to trigger Denial of Service[1].

Deserialization is a sensible operation that has a great history of vulnerabilities. The web application might become vulnerable as soon as a new vulnerability is found in the Java Virtual Machine[2] [3].
Fixing this by using filters as mentioned in the Oracle documentation does not help as the vulnerability still persists in the next scan.
We are using openjdk version 17

  • what have you tried so far to achieve this
    try (ByteArrayInputStream bis = new ByteArrayInputStream(obj); ObjectInputStream in = new ObjectInputStream(bis):wink: {
    84 … in.setObjectInputFilter(ObjectInputFilter.Config.createFilter(“com.xx.xxx.xxxx.xxxx.;java.lang.;java.util.;org.jdom.;!*”));

Hello @Arun_Kumar ,

Thanks for your feedback. I see multiple things in your post:

First, the vulnerability text that you pasted is not SonarQube’s text. After short googling, it looks like it comes from Guardrails’ docs: Insecure Processing of Data | GuardRails

SonarQube’s text for this vulnerability is this one: Java static code analysis: Deserialization should not be vulnerable to injection attacks. Depending on your SonarQube version, you might not have access to this rule.

Because of this, I’m not sure we are talking about the same analyzers here.

Nevertheless, about Serialization Filters: SonarQube does not support this fix yet, and I actually created an internal ticket last month to support this: APPSEC-102.

Thanks a lot!

Best regards,


This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.