False positives in server-dangerous-object-deserialization

[9iang22]

Describe the bug

Arrays of safe types (String[], int[]) should not be flagged as dangerous for deserialization since they don't pose the same security risks as arbitrary object deserialization, but this pattern is very realistic and commonly used in production code.

To Reproduce

https://semgrep.dev/playground/s/WejyA

// ok:server-dangerous-object-deserialization
public interface IBSidesServiceOK extends Remote {
   boolean registerTicket(String[] ticketIDs) throws RemoteException;  // we should not alarm on this
   void vistTalk(String talkID) throws RemoteException;
   void poke(int[] attendees) throws RemoteException; // we should not alarm on this
}

Expected behavior
No alarm on these patterns

Priority
How important is this to you?

• P0: blocking me from making progress
• P1: this will block me in the near future
• P2: annoying but not blocking me