Fix CVE references in documentation

Copilot · mickeygousset · Copilot · commit 0f95651ab4a3 · 2025-09-29T21:47:25.000Z
Co-authored-by: mickeygousset &lt;20031479+mickeygousset@users.noreply.github.com&gt;
diff --git a/DEPENDENCY_ANALYSIS.md b/DEPENDENCY_ANALYSIS.md
@@ -9,8 +9,8 @@ This project demonstrates a vulnerable dependency (`commons-collections:3.2.1`)
 **Package**: `commons-collections:3.2.1`
 
 **Known Vulnerabilities**:
-- CVE-2015-6420: Serialized-object interfaces in certain Cisco Collaboration and Social Media implementations allow remote attackers to execute arbitrary commands
-- CVE-2017-15708: InvokerTransformer code was present in commons-collections4 1.0-4.1 which allowed remote code execution
+- CVE-2015-7501: Apache Commons Collections InvokerTransformer class allows remote attackers to execute arbitrary Java code via crafted serialized objects
+- CVE-2015-6420: Similar remote code execution vulnerability through unsafe deserialization
 
 ### Dependency Paths
 
@@ -54,8 +54,14 @@ Example output:
 [INFO] |  \- (commons-collections:commons-collections:jar:3.2.1:compile - omitted for duplicate)
 [INFO] +- commons-digester:commons-digester:jar:2.1:compile
 [INFO] |  +- (commons-beanutils:commons-beanutils:jar:1.8.3:compile - omitted for conflict with 1.9.2)
+[INFO] |     \- (commons-collections:commons-collections:jar:3.2.1:compile - would be included)
 ```
 
+The key indicators are:
+- "omitted for duplicate" means the same dependency version is already included from another path
+- "omitted for conflict" means a different version of the same dependency is already included from another path
+- Both indicate multiple paths to the same or similar dependencies
+
 ### Why This Matters
 
 In real-world scenarios, vulnerable dependencies often appear in multiple paths through the dependency graph. This makes them:
diff --git a/README.md b/README.md
@@ -24,7 +24,7 @@ This application contains the following types of security vulnerabilities:
 4. **LDAP Injection** - Unescaped user input in LDAP filters
 5. **Weak Cryptography** - Use of MD5 and weak random number generation
 6. **Hard-coded Secrets** - Embedded credentials and encryption keys
-7. **Vulnerable Dependencies** - Uses `commons-collections:3.2.1` which has known deserialization vulnerabilities (CVE-2015-6420, CVE-2017-15708). This dependency appears in multiple paths in the dependency graph:
+7. **Vulnerable Dependencies** - Uses `commons-collections:3.2.1` which has known deserialization vulnerabilities (CVE-2015-7501). This dependency appears in multiple paths in the dependency graph:
    - As a direct dependency
    - As a transitive dependency through `commons-beanutils:1.9.2`
    - As a transitive dependency through `commons-digester:2.1` → `commons-beanutils:1.8.3`
