"Missing SecurityManager Check : Serializable" : Fortify SourceAnalyzer

Question

I am seeing the below warning form the Fortify SourceAnalyzer for my class which implements the ISerializer, IDeSerializer interfaces:-

"Missing SecurityManager Check : Serializable".

This is a security vulnerability because, if you are serializing some sensitive data and have put security manager check in the constructor of the class to avoid unchecked creation of new object instance. You have to override write method and put the same security manager check in the write method as well. (because some one can still create a new instance from the serialized bytes as no java control over object created from the serialized bytes and it will simply deserialize those bytes, so the only way to avoid is to put the same security manager check in the write method).

The above explanation is perfectly fine if i am serializing some sensitive data and have put security mangaer check inside the constructor. But if i have data which is not sensitive and i want to serialize that without any security manager check in the constructor. Still i got the above warning from the Fortify reports. I am not sure how to get rid of this warning, is this a bug in Fortify tool or am i missing something ?

Note:- I do not want any security manager check in my constructor.

Answer 1

I get a somewhat different explanation from Fortify, since this issue usually does not refer to write, but to read (deserialization). The background is that constructors are not invoked when deserializing data since the runtime takes care of inizalizing the members from the serialized data, so when you have a SecurityManager in your constructor it is not considered when an instance is created by deserializing.

Anyway, to your question, if you have analyzed the issue and came to the conclusion that it is not an issue, you can mark it as such while auditing the issue. This is possible both in Fortify SSC (the central fortify server) and the Audit Workbench (AWB). In Fortify SSC, go to your issue list, select "View Details" on the particular issue, and in the lower left corner select "Analysis: Not an Issue". Similar options exist in AWB.

If you are doing subsequent scans and upload them to the server (or merge them using AWB), Fortify recognizes that this issue has been audited and marked as "not an issue" earlier and keeps the "not an issue" information.