"ISerializable" should be implemented correctly

https://rules.sonarsource.com/csharp/RSPEC-3925

The ISerializable interface is the mechanism to control the type serialization process. If not implemented correctly this could result in an invalid serialization and hard to detect bugs.

This rules raises an issue on types that implement ISerializable without following the serialization pattern recommended by Microsoft.

Specifically this rule checks for these problems:

• The System.SerializableAttribute attribute is missing.
• Non-serializable fields are not marked with the System.NonSerializedAttribute attribute.
• There is no serialization constructor.
• An unsealed type has a serialization constructor that is not protected.
• A sealed type has a serialization constructor that is not private.
• An unsealed type has a ISerializable.GetObjectData that is not both public and virtual.
• A derived type has a serialization constructor that does not call the base constructor.
• A derived type has a ISerializable.GetObjectData method that does not call the base method.
• A derived type has serializable fields but the ISerializable.GetObjectData method is not overridden. 

What is the correct way to make a custom .NET Exception serializable?

 下面这个是第二个回答，原链接的第一回答更详细和复杂

Exception is already serializable, but you need to override the GetObjectData method to store your variables and provide a constructor which can be called when re-hydrating your object.

So your example becomes:

[Serializable]
public class MyException : Exception
{
    private readonly string resourceName;
    private readonly IList<string> validationErrors;

    public MyException(string resourceName, IList<string> validationErrors)
    {
        this.resourceName = resourceName;
        this.validationErrors = validationErrors;
    }

    public string ResourceName
    {
        get { return this.resourceName; }
    }

    public IList<string> ValidationErrors
    {
        get { return this.validationErrors; }
    }

    [SecurityPermissionAttribute(SecurityAction.Demand, SerializationFormatter=true)]
    protected MyException(SerializationInfo info, StreamingContext context) : base (info, context)
    {
        this.resourceName = info.GetString("MyException.ResourceName");
        this.validationErrors = info.GetValue("MyException.ValidationErrors", typeof(IList<string>));
    }

    [SecurityPermissionAttribute(SecurityAction.Demand, SerializationFormatter=true)]
    public override void GetObjectData(SerializationInfo info, StreamingContext context)
    {
        base.GetObjectData(info, context);

        info.AddValue("MyException.ResourceName", this.ResourceName);

        // Note: if "List<T>" isn't serializable you may need to work out another
        //       method of adding your list, this is just for show...
        info.AddValue("MyException.ValidationErrors", this.ValidationErrors, typeof(IList<string>));
    }

}