SemmleCode Professional comes with a wide range of pre-packaged analyses, from architectural properties and metrics, to statement-level checks for likely bugs and violations of best practice.

Non-serializable Field in Serializable Class

This query finds fields that are not marked transient or serializable in any way, but are in a class implementing java.io.Serializable.

How to Interpret the Query Results

The query flags all such fields and displays a list of all detected occurrences in the results view.

How to Address the Query Results

Make sure that the flagged fields can be serialized, e.g. by declaring custom readObject and writeObject methods.

Source Code

import default

from Class c, Field f, TypeSerializable serializable, 
     Interface externalizable, RefType fieldtype
where externalizable.hasQualifiedName("java.io", "Externalizable") and
      f.getDeclaringType() = c and
      c.hasSupertype+(serializable) and
      not f.hasModifier("transient") and
      not f.hasModifier("static") and
      f.getType() = fieldtype and
      not fieldtype instanceof TypeObject and
      not fieldtype.hasSupertype+(serializable) and
      not fieldtype.hasSupertype+(externalizable) and
      not c.declaresMethod("readObject") and
      not c.declaresMethod("writeObject")
select f, "This field is in a Serializable class, "
          + "but does not appear to be serializable, externalizable, "
          + "transient, or serialized in any way."

References