From 427b73ec9d0d0f963a601499a5ba351772862aab Mon Sep 17 00:00:00 2001
From: Owen Mansel-Chan <owen-mc@github.com>
Date: Thu, 7 May 2026 10:51:20 +0100
Subject: [PATCH] Clarify that deserialization that follows a schema is safe

---
 .../src/Security/CWE/CWE-502/UnsafeDeserialization.qhelp  | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.qhelp b/java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.qhelp
index bf696b9e93c..65848104ae3 100644
--- a/java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.qhelp
+++ b/java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.qhelp
@@ -18,6 +18,14 @@ supports Kryo, XmlDecoder, XStream, SnakeYaml, JYaml, JsonIO, YAMLBeans, Hessian
 Jackson, Jabsorb, Jodd JSON, Flexjson, Gson, JMS, and Java IO serialization through
 <code>ObjectInputStream</code>/<code>ObjectOutputStream</code>.
 </p>
+<p>
+Note that a deserialization method is only dangerous if it can instantiate
+arbitrary classes. Serialization frameworks that use a schema to instantiate
+only expected, predefined types are generally safe and are not tracked by this
+query. For example, Apache Avro's deserialization methods follow a schema and
+therefore cannot instantiate arbitrary classes, making them safe to use even
+with untrusted data.
+</p>
 </overview>
 
 <recommendation>