From 5159a396f743fa0037e1e74c36d06203a8a9c76c Mon Sep 17 00:00:00 2001
From: Carter Kozak <ckozak@palantir.com>
Date: Fri, 1 Apr 2022 15:44:25 -0400
Subject: [PATCH 1/2] Fix SerializationUtils matcher

previously looked for instance methods rather than static
methods.
---
 .../DangerousJavaDeserialization.java         |  4 +--
 .../DangerousJavaDeserializationTest.java     | 28 +++++++++++++++++++
 2 files changed, 30 insertions(+), 2 deletions(-)

diff --git a/baseline-error-prone/src/main/java/com/palantir/baseline/errorprone/DangerousJavaDeserialization.java b/baseline-error-prone/src/main/java/com/palantir/baseline/errorprone/DangerousJavaDeserialization.java
index 2bf2b65bd..9112a3f93 100644
--- a/baseline-error-prone/src/main/java/com/palantir/baseline/errorprone/DangerousJavaDeserialization.java
+++ b/baseline-error-prone/src/main/java/com/palantir/baseline/errorprone/DangerousJavaDeserialization.java
@@ -52,8 +52,8 @@ public final class DangerousJavaDeserialization extends BugChecker implements Bu
                     .withNoParameters(),
             Matchers.not(Matchers.enclosingMethod(READ_OBJECT)));
 
-    private static final Matcher<ExpressionTree> LANG3_SERIALIZATION_UTILS_DESERIALIZE = MethodMatchers.instanceMethod()
-            .onExactClassAny(
+    private static final Matcher<ExpressionTree> LANG3_SERIALIZATION_UTILS_DESERIALIZE = MethodMatchers.staticMethod()
+            .onClassAny(
                     "org.apache.commons.lang.SerializationUtils",
                     "org.apache.commons.lang3.SerializationUtils",
                     "org.springframework.util.SerializationUtils")
diff --git a/baseline-error-prone/src/test/java/com/palantir/baseline/errorprone/DangerousJavaDeserializationTest.java b/baseline-error-prone/src/test/java/com/palantir/baseline/errorprone/DangerousJavaDeserializationTest.java
index 4bd6e41ac..23c8184ba 100644
--- a/baseline-error-prone/src/test/java/com/palantir/baseline/errorprone/DangerousJavaDeserializationTest.java
+++ b/baseline-error-prone/src/test/java/com/palantir/baseline/errorprone/DangerousJavaDeserializationTest.java
@@ -51,4 +51,32 @@ void allowsReadObject() {
                         "}")
                 .doTest();
     }
+
+    @Test
+    void testCommonsLang() {
+        helper().addSourceLines(
+                        "Test.java",
+                        "import org.apache.commons.lang.SerializationUtils;",
+                        "class Test {",
+                        "   void f(byte[] data) {",
+                        "       // BUG: Diagnostic contains: serialization features for security reasons",
+                        "       SerializationUtils.deserialize(data);",
+                        "   }",
+                        "}")
+                .doTest();
+    }
+
+    @Test
+    void testCommonsLang3() {
+        helper().addSourceLines(
+                        "Test.java",
+                        "import org.apache.commons.lang3.SerializationUtils;",
+                        "class Test {",
+                        "   void f(byte[] data) {",
+                        "       // BUG: Diagnostic contains: serialization features for security reasons",
+                        "       SerializationUtils.deserialize(data);",
+                        "   }",
+                        "}")
+                .doTest();
+    }
 }

From 400ef800078793e9b4e96986fb8c988582fb7d1b Mon Sep 17 00:00:00 2001
From: svc-changelog <svc-changelog@palantir.com>
Date: Fri, 1 Apr 2022 19:45:48 +0000
Subject: [PATCH 2/2] Add generated changelog entries

---
 changelog/@unreleased/pr-2164.v2.yml | 5 +++++
 1 file changed, 5 insertions(+)
 create mode 100644 changelog/@unreleased/pr-2164.v2.yml

diff --git a/changelog/@unreleased/pr-2164.v2.yml b/changelog/@unreleased/pr-2164.v2.yml
new file mode 100644
index 000000000..2a462343b
--- /dev/null
+++ b/changelog/@unreleased/pr-2164.v2.yml
@@ -0,0 +1,5 @@
+type: fix
+fix:
+  description: Fix `SerializationUtils` matcher
+  links:
+  - https://github.com/palantir/gradle-baseline/pull/2164