Add commons-collections vulnerability in multiple dependency paths

Copilot · mickeygousset · Copilot · commit 1edca81c3cb4 · 2025-09-29T21:43:59.000Z
Co-authored-by: mickeygousset &lt;20031479+mickeygousset@users.noreply.github.com&gt;
diff --git a/README.md b/README.md
@@ -24,6 +24,10 @@ This application contains the following types of security vulnerabilities:
 4. **LDAP Injection** - Unescaped user input in LDAP filters
 5. **Weak Cryptography** - Use of MD5 and weak random number generation
 6. **Hard-coded Secrets** - Embedded credentials and encryption keys
+7. **Vulnerable Dependencies** - Uses `commons-collections:3.2.1` which has known deserialization vulnerabilities (CVE-2015-6420, CVE-2017-15708). This dependency appears in multiple paths in the dependency graph:
+   - As a direct dependency
+   - As a transitive dependency through `commons-beanutils:1.9.2`
+   - As a transitive dependency through `commons-digester:2.1` → `commons-beanutils:1.8.3`
 
 ## CodeQL Analysis
 
@@ -45,8 +49,24 @@ mvn test
 
 # Run the application (demonstrates vulnerabilities)
 mvn exec:java -Dexec.mainClass="com.example.app.VulnerableApplication"
+
+# View dependency tree to see multiple paths to commons-collections
+mvn dependency:tree -Dverbose
 ```
 
+### Viewing Multiple Dependency Paths
+
+To see how `commons-collections:3.2.1` appears in multiple paths in the dependency graph, run:
+
+```bash
+mvn dependency:tree -Dverbose | grep -E "commons-collections|commons-beanutils|commons-digester"
+```
+
+Expected output shows `commons-collections:3.2.1` appearing as:
+- A direct dependency
+- A transitive dependency through `commons-beanutils` (marked as "omitted for duplicate")
+- A transitive dependency through `commons-digester` → `commons-beanutils`
+
 ## Warning
 
 ⚠️ **This application contains intentional security vulnerabilities and should never be deployed in a production environment.** It is designed solely for educational purposes and CodeQL demonstration.
diff --git a/pom.xml b/pom.xml
@@ -41,6 +41,34 @@
             <artifactId>commons-lang3</artifactId>
             <version>3.12.0</version>
         </dependency>
+
+        <!-- Vulnerable dependency (commons-collections 3.2.1) - direct dependency -->
+        <dependency>
+            <groupId>commons-collections</groupId>
+            <artifactId>commons-collections</artifactId>
+            <version>3.2.1</version>
+        </dependency>
+
+        <!-- commons-beanutils also depends on commons-collections 3.2.1 - creates multiple paths -->
+        <dependency>
+            <groupId>commons-beanutils</groupId>
+            <artifactId>commons-beanutils</artifactId>
+            <version>1.9.2</version>
+        </dependency>
+
+        <!-- commons-configuration also depends on commons-collections - creates another path -->
+        <dependency>
+            <groupId>commons-configuration</groupId>
+            <artifactId>commons-configuration</artifactId>
+            <version>1.10</version>
+        </dependency>
+
+        <!-- commons-digester also depends on commons-collections - creates another path -->
+        <dependency>
+            <groupId>commons-digester</groupId>
+            <artifactId>commons-digester</artifactId>
+            <version>2.1</version>
+        </dependency>
              
         <!-- Database connectivity for SQL injection demos -->
         <dependency>
