Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: serialVersionUID fix for Serializable Classes #1883

Merged
merged 4 commits into from
Jan 23, 2024
Merged

fix: serialVersionUID fix for Serializable Classes #1883

merged 4 commits into from
Jan 23, 2024

Conversation

rng70-or
Copy link
Contributor

@rng70-or rng70-or commented Oct 6, 2023

Motivation:

In file: DateTime.java, two classes are serializable but they do not contain any serialVersionUID field. The compiler generates one by default in such scenarios, but the generated id is dependent on compiler implementation and may cause unwanted problems during deserialization.

The Role of serialVersionUID:

The primary role of serialVersionUID is to provide version control during deserialization. When deserialize an object, the JVM checks whether the serialVersionUID of the serialized data matches the serialVersionUID of the class in the current classpath. If they match, the deserialization proceeds without issues. However, if they do not match, programmers encounter InvalidClassException.

As, serialVersionUID servers the purpose of version control of class during serialization-deserialization, without a serialVersionUID, we risk breaking backward compatibility when making changes to classes, which can lead to unexpected issues and errors during deserialization.

Sponsorship and Support:

This work is done by the security researchers from OpenRefactory and is supported by the Open Source Security Foundation (OpenSSF): Project Alpha-Omega. Alpha-Omega is a project partnering with open source software project maintainers to systematically find new, as-yet-undiscovered vulnerabilities in open source code - and get them fixed – to improve global software supply chain security.

The bug is found by running the Intelligent Code Repair (iCR) tool by OpenRefactory and then manually triaging the results.

@rng70-or rng70-or requested a review from a team as a code owner October 6, 2023 02:10
@product-auto-label product-auto-label bot added the size: xs Pull request size is extra small. label Oct 6, 2023
gcf-owl-bot bot added a commit that referenced this pull request Oct 26, 2023
@gcf-owl-bot
chore: bump urllib3 from 2.0.6 to 2.0.7 in /docker/owlbot/java/src (#…
fa42d6c 
…1883)

Source-Link: googleapis/synthtool@2472390
Post-Processor: gcr.io/cloud-devrel-public-resources/owlbot-java:latest@sha256:fb7584f6adb3847ac480ed49a4bfe1463965026b2919a1be270e3174f3ce1191
@suztomo suztomo merged commit f390020 into googleapis:main Jan 23, 2024
16 checks passed
@suztomo
Copy link
Member

suztomo commented Jan 23, 2024

Thank you!

@release-please release-please bot mentioned this pull request Jan 23, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@suztomo suztomo suztomo approved these changes

Assignees
No one assigned
Labels
size: xs Pull request size is extra small.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@rng70-or @suztomo