EN JP CN

CS.MEMB.NOT_SERIALIZABLE

Ensure entire graph of object can be serialized.

This rule points out all member fields which are not serializable in a serializable class. Fields marked with NonSerializedAttribute are excluded. Sometimes the rule can point out that you have to mark a type that is not under your control as "Serializable". For example, you may be using a system type that is not marked as serializable. In this case the fix will have to be to mark this member "NonSerializable" and you need to take care of initializing the member properly before it gets used in the deserialization context.

Vulnerability and risk

If an object of a class which does not conform to the above rule is serialized than an exception may occur.

Mitigation and prevention

If a class is serializable in a not customized manner (it is marked with SerializableAttribute and it does not implement ISerializable attribute) than all its fields must be either serializable or marked with NonSerializableAttribute.

Note: If a class is marked with SerializableAttribute and implements ISerializable then serialization is customized and this rule does not apply and .TEST will not show any violations for this rule.

Vulnerable code example

1  public class Foo
2  {
3  }
4  public class Bar
5  {
6  }
7   [Serializable]
8  public class MyClass
9  {
10 	private Foo _foo;	// violation, class Foo is not
11 						// serializable and field _foo is not
12 						// skipped
13 						// by NonSerializableAttribute
14 	private Bar _bar; 	// violation, class Bar is not
15 						// serializable and field _bar is not
16 						// skipped
17 						// by NonSerializableAttribute
18 	private static void Serialize(MyClass obj)
19 	{
20 		Stream stream = File.Open("foo.dat", FileMode.Create);
21 		BinaryFormatter formatter = new BinaryFormatter();
22 		formatter.Serialize(stream, obj); // an exception occurs
23 	}
24 }

Fixed code example 1

1  // There are two ways of fixing the above violations
2  // Fix #1
3  namespace Repair1
4  {
5  	[Serializable]
6  	public class Foo
7  	{
8  	}
9  	public class Bar
10 	{
11 	}
12 	[Serializable]
13 	public class MyClass
14 	{
15 		private Foo _foo;	// fix, Foo is serializable
16 		[NonSerialized]
17 		private Bar _bar;	// fix, _bar is not serialized
18 		private static void MySerializeMethod(MyClass obj)
19 		{
20 			Stream stream = File.Open("foo.dat", FileMode.Create);
21 			BinaryFormatter formatter = new BinaryFormatter();
22 			formatter.Serialize(stream, obj);	// no exception,
23 												// all members are
24 												// serializable
25 		}
26 	}
27 }

Fixed code example 2

1  // Fix #2
2  namespace Repair2
3  {
4  	public class Foo
5  	{
6  	}
7  	public class Bar
8  	{
9  	}
10 	 [Serializable]
11 	public class MyClass : ISerializable
12 	{
13 		private Foo _foo;
14 		private Bar _bar;
15 
16 		private static void MySerializeMethod(MyClass obj)
17 		{
18 			Stream stream = File.Open("foo.dat", FileMode.Create);
19 			BinaryFormatter formatter = new BinaryFormatter();
20 			formatter.Serialize(stream, obj); 	// no exception, all
21 												// members are serializable
22 		}
23 		public void GetObjectData(
24 			SerializationInfo info,
25 			StreamingContext context)
26 		{
27 			/*
28 			...
29 			*/
30 		}
31 	}