Is java.io.serialize necessary in ErroMessage.java?

[dleblanc10]

ErrorMessage.java imports java.io.serialize, but does not appear to be necessary. Could that be removed? My team was reviewing it as part of a review of the Java Deserialization vulnerability.

We've made a workaround to remove it in our project and satisfy our security team, but still use the rest of the spring-rest-exception-handler code. Just wondering if that change could be integrated the library.

[jirutka]

Yes, I don't think that it's necessary here either and I don't remember why I did it. However, I think that your security team don't understand what is this bug about, because just a class implementing Serializable is not a source of vulnerability.

[dleblanc10]

This code was questioned because a previous developer copied this code into our project instead of just creating a maven dependency. It took a little while to sort out that this wasn't our code. I've since fixed that and added this to our list of open source licensed code.

Our security folks do understand this was no risk. The dev team decided to remove any java.io.serialization we don't need/use just as code cleanup.