Protected ArrayList is Serializable

The rule java:S1948 “Fields in a “Serializable” class should either be transient or serializable”
triggers for me in this java snippet:

public class Auftrag implements Serializable {
  private static final long serialVersionUID = 1L;
  protected ArrayList<Anhang> anhang;

I am using SonarQube:
It was reported to be fixed in squid:S1948 wrongly reported by Sonar 7.7 on ArrayList<String> - #2 by Nicolas_Peru
But perhaps it was only fixed for the private field not a protected, public or so?

Hey there.


Your version is past EOL. You should upgrade to either the latest version or the current LTS at your earliest convenience. Your upgrade path is:

8.5.1-> 8.9.8 → 9.4 (last step optional)

You may find the Upgrade Guide and the LTS-to-LTS Upgrade Notes helpful. If you have questions about upgrading, feel free to open a new thread for that here.

If this issue persists after upgrade, please come back to us.

I’m running server, sonarlint, idea IU-213.7172.25 (2021.3.3) and I just noticed this behaviour as well.

In my case I’m getting 1948 on:

class X implements Serializable {
    private ArrayList<Y> y = new ArrayList<>();

where Y is serializable. I’ve also noticed that if I move the Y class so that it is an inner class of X then the false violation goes away.

I’ve also noticed some scenarios where I am not getting java:S1948 violations when I expect to. These scenarios used to throw violations before our upgrade to 8.9.8 but no longer do. Upgrade was from 8.6.