Classes oxalis-outbound/src/main/java/network/oxalis/outbound/transmission/DefaultTransmissionRequest.java and DefaultTransmissionMessage.java implement Serializable but use not serializable fields

[IacopoArduini-gmail]

Dear OxalisCommunity,

we just ran an automated CAST analysis on Oxalis codebase and, among other violations, we found out this specific one: the two classes mentioned in the object of this issue implement the Serializable interface, but use as a field the Object InputStream that is not serializable. This is not an immediate problem since both classes are not actually serialized anywhere in the software, but declaring non-transient fields of non-serializable type inside of a serializable class will result in an exception thrown during the serialization. This issue can prevent the software from running reliably, e.g. by triggering an exeption. If the relevant code is reachable by an attacker, then this reliability problem might introduce a vulnerability.

As a suggestion, if those classes don't actually need to be serializable, they could just not implement the Serializable interface, and this would solve the violation.

Best Regards,
Iacopo