CS.MEMB.NOT_SERIALIZABLE
Ensure entire graph of object can be serialized.
This rule points out all member fields which are not serializable in a serializable class. Fields marked with NonSerializedAttribute are excluded. Sometimes the rule can point out that you have to mark a type that is not under your control as "Serializable". For example, you may be using a system type that is not marked as serializable. In this case the fix will have to be to mark this member "NonSerializable" and you need to take care of initializing the member properly before it gets used in the deserialization context.
Vulnerability and risk
If an object of a class which does not conform to the above rule is serialized than an exception may occur.
Mitigation and prevention
If a class is serializable in a not customized manner (it is marked with SerializableAttribute and it does not implement ISerializable attribute) than all its fields must be either serializable or marked with NonSerializableAttribute.
Note: If a class is marked with SerializableAttribute and implements ISerializable then serialization is customized and this rule does not apply and .TEST will not show any violations for this rule.
Vulnerable code example
1 public class Foo 2 { 3 } 4 public class Bar 5 { 6 } 7 [Serializable] 8 public class MyClass 9 { 10 private Foo _foo; // violation, class Foo is not 11 // serializable and field _foo is not 12 // skipped 13 // by NonSerializableAttribute 14 private Bar _bar; // violation, class Bar is not 15 // serializable and field _bar is not 16 // skipped 17 // by NonSerializableAttribute 18 private static void Serialize(MyClass obj) 19 { 20 Stream stream = File.Open("foo.dat", FileMode.Create); 21 BinaryFormatter formatter = new BinaryFormatter(); 22 formatter.Serialize(stream, obj); // an exception occurs 23 } 24 }
Fixed code example 1
1 // There are two ways of fixing the above violations 2 // Fix #1 3 namespace Repair1 4 { 5 [Serializable] 6 public class Foo 7 { 8 } 9 public class Bar 10 { 11 } 12 [Serializable] 13 public class MyClass 14 { 15 private Foo _foo; // fix, Foo is serializable 16 [NonSerialized] 17 private Bar _bar; // fix, _bar is not serialized 18 private static void MySerializeMethod(MyClass obj) 19 { 20 Stream stream = File.Open("foo.dat", FileMode.Create); 21 BinaryFormatter formatter = new BinaryFormatter(); 22 formatter.Serialize(stream, obj); // no exception, 23 // all members are 24 // serializable 25 } 26 } 27 }
Fixed code example 2
1 // Fix #2 2 namespace Repair2 3 { 4 public class Foo 5 { 6 } 7 public class Bar 8 { 9 } 10 [Serializable] 11 public class MyClass : ISerializable 12 { 13 private Foo _foo; 14 private Bar _bar; 15 16 private static void MySerializeMethod(MyClass obj) 17 { 18 Stream stream = File.Open("foo.dat", FileMode.Create); 19 BinaryFormatter formatter = new BinaryFormatter(); 20 formatter.Serialize(stream, obj); // no exception, all 21 // members are serializable 22 } 23 public void GetObjectData( 24 SerializationInfo info, 25 StreamingContext context) 26 { 27 /* 28 ... 29 */ 30 } 31 }