=== is duplicated by: S4066

=== on 19 Mar 2018, 11:18:13 Sébastien GIORIA - AppSecFR wrote:
Need Tag A8:2017

=== on 20 Mar 2018, 07:30:10 Freddy Mallet wrote:
Thanks [~SPoint] ! And I would even remove the A1 category [~alexandre.gigleux] to keep our referential orthogonal.

=== on 20 Mar 2018, 08:20:58 Alexandre Gigleux wrote:
\[~freddy.mallet] I agree the main problem here is the "Insecure Deserialization" that can lead to a potential "Injection". The "Injection" can't be performed easily, you need first to bypass the deserialization layer. So I removed OWASP A1. 

=== on 7 Jul 2018, 15:28:25 Tibor Blenessy wrote:
Method ``++ObjectInputStream.readArray(boolean)++``  is private, so it can't be called. Why we should detect it?

=== on 9 Jul 2018, 13:27:12 Andrei Epure wrote:
@ [~alexandre.gigleux] , [~tibor.blenessy] Should we take into consideration ``++setObjectInputFilter​++`` ? 

=== on 9 Jul 2018, 15:56:04 Alexandre Gigleux wrote:
\[~andrei.epure] Hotspots rules are going to be revisited with "recommendations" that a Security Auditors should follow to be sure the code is safe. This ``++setObjectInputFilter]} will be part of them. Here we just want to raise a simple issue when the {{readObject++`` is called. Then up to the Security Auditor to look around this code and see if some sanitization of in the input is made.

=== on 23 Jul 2018, 17:14:26 Pierre-Yves Nicolas wrote:
\[~alexandre.gigleux] The current description is really specific to Java. Can it be adapted to PHP? Thanks.

=== on 27 May 2020, 16:48:46 Eric Therond wrote:
Deprecated because it overlaps with SonarSecurity