Protected ArrayList is Serializable

The rule java:S1948 “Fields in a “Serializable” class should either be transient or serializable”
triggers for me in this java snippet:

public class Auftrag implements Serializable {
  private static final long serialVersionUID = 1L;
  protected ArrayList<Anhang> anhang;
}

I am using SonarQube: 8.5.1.38104
It was reported to be fixed in squid:S1948 wrongly reported by Sonar 7.7 on ArrayList<String> - #2 by Nicolas_Peru
But perhaps it was only fixed for the private field not a protected, public or so?

Hey there.

Hi,

Your version is past EOL. You should upgrade to either the latest version or the current LTS at your earliest convenience. Your upgrade path is:

8.5.1-> 8.9.8 → 9.4 (last step optional)

You may find the Upgrade Guide and the LTS-to-LTS Upgrade Notes helpful. If you have questions about upgrading, feel free to open a new thread for that here.

If this issue persists after upgrade, please come back to us.

I’m running server 8.9.8.54436, sonarlint 6.7.0.45926, idea IU-213.7172.25 (2021.3.3) and I just noticed this behaviour as well.

In my case I’m getting 1948 on:

class X implements Serializable {
    ...
    private ArrayList<Y> y = new ArrayList<>();
}

where Y is serializable. I’ve also noticed that if I move the Y class so that it is an inner class of X then the false violation goes away.

I’ve also noticed some scenarios where I am not getting java:S1948 violations when I expect to. These scenarios used to throw violations before our upgrade to 8.9.8 but no longer do. Upgrade was from 8.6.