Merge pull request #5 from devopselvis/copilot/fix-2345d43d-6d10-4934-8286-07f62d5ac32b

Add vulnerable dependency with multiple paths in dependency graph

Author: mickeygousset

DEPENDENCY_ANALYSIS.md

@@ -0,0 +1,97 @@
+# Dependency Analysis
+
+## Vulnerable Dependency in Multiple Paths
+
+This project demonstrates a vulnerable dependency (`commons-collections:3.2.1`) appearing in multiple paths in the dependency graph.
+
+### The Vulnerable Package
+
+**Package**: `commons-collections:3.2.1`
+
+**Known Vulnerabilities**:
+- CVE-2015-7501: Apache Commons Collections InvokerTransformer class allows remote attackers to execute arbitrary Java code via crafted serialized objects through unsafe deserialization
+- This vulnerability affects commons-collections versions 3.0 through 3.2.1
+
+### Dependency Paths
+
+The `commons-collections:3.2.1` package appears in the following paths in the dependency graph:
+
+1. **Direct Dependency**
+   ```
+   vulnerable-app
+   └── commons-collections:3.2.1
+   ```
+
+2. **Transitive Dependency via commons-beanutils**
+   ```
+   vulnerable-app
+   └── commons-beanutils:1.9.2
+       └── commons-collections:3.2.1
+   ```
+
+3. **Transitive Dependency via commons-digester**
+   ```
+   vulnerable-app
+   └── commons-digester:2.1
+       └── commons-beanutils:1.8.3
+           └── commons-collections:3.2.1
+   ```
+
+### Verification
+
+To verify that the package appears in multiple paths, run:
+
+```bash
+mvn dependency:tree -Dverbose
+```
+
+Look for lines showing `commons-collections` with annotations like "omitted for duplicate" which indicates it's being pulled in through multiple paths.
+
+Example output:
+```
+[INFO] +- commons-collections:commons-collections:jar:3.2.1:compile
+[INFO] +- commons-beanutils:commons-beanutils:jar:1.9.2:compile
+[INFO] |  \- (commons-collections:commons-collections:jar:3.2.1:compile - omitted for duplicate)
+[INFO] +- commons-digester:commons-digester:jar:2.1:compile
+[INFO] |  +- (commons-beanutils:commons-beanutils:jar:1.8.3:compile - omitted for conflict with 1.9.2)
+[INFO] |     \- (commons-collections:commons-collections:jar:3.2.1:compile - would be included)
+```
+
+The key indicators are:
+- "omitted for duplicate" means the same dependency version is already included from another path
+- "omitted for conflict" means a different version of the same dependency is already included from another path
+- Both indicate multiple paths to the same or similar dependencies
+
+### Why This Matters
+
+In real-world scenarios, vulnerable dependencies often appear in multiple paths through the dependency graph. This makes them:
+- More challenging to identify
+- Harder to remediate (requires updating multiple parent dependencies)
+- More likely to be overlooked by basic security scanning
+
+This repository intentionally includes this pattern to demonstrate how dependency scanning tools like GitHub's Dependabot and CodeQL can detect such vulnerabilities across the entire dependency graph.
+
+## Viewing the Full Dependency Graph
+
+To see the complete dependency tree:
+
+```bash
+# Standard view (duplicates are omitted)
+mvn dependency:tree
+
+# Verbose view (shows all paths including duplicates)
+mvn dependency:tree -Dverbose
+
+# Filter to see only commons-related dependencies
+mvn dependency:tree -Dverbose | grep commons
+```
+
+## Security Recommendations
+
+⚠️ **For educational purposes only**
+
+In a production environment, you would:
+1. Upgrade to a patched version of the vulnerable library
+2. If no patch exists, find alternative libraries
+3. Use dependency scanning tools to continuously monitor for vulnerabilities
+4. Implement Software Composition Analysis (SCA) in your CI/CD pipeline

README.md

@@ -24,6 +24,10 @@ This application contains the following types of security vulnerabilities:
 4. **LDAP Injection** - Unescaped user input in LDAP filters
 5. **Weak Cryptography** - Use of MD5 and weak random number generation
 6. **Hard-coded Secrets** - Embedded credentials and encryption keys
+7. **Vulnerable Dependencies** - Uses `commons-collections:3.2.1` which has known deserialization vulnerabilities (CVE-2015-7501). This dependency appears in multiple paths in the dependency graph:
+   - As a direct dependency
+   - As a transitive dependency through `commons-beanutils:1.9.2`
+   - As a transitive dependency through `commons-digester:2.1` → `commons-beanutils:1.8.3`
 
 ## CodeQL Analysis
 
@@ -45,8 +49,24 @@ mvn test
 
 # Run the application (demonstrates vulnerabilities)
 mvn exec:java -Dexec.mainClass="com.example.app.VulnerableApplication"
+
+# View dependency tree to see multiple paths to commons-collections
+mvn dependency:tree -Dverbose
 ```
 
+### Viewing Multiple Dependency Paths
+
+To see how `commons-collections:3.2.1` appears in multiple paths in the dependency graph, run:
+
+```bash
+mvn dependency:tree -Dverbose | grep -E "commons-collections|commons-beanutils|commons-digester"
+```
+
+Expected output shows `commons-collections:3.2.1` appearing as:
+- A direct dependency
+- A transitive dependency through `commons-beanutils` (marked as "omitted for duplicate")
+- A transitive dependency through `commons-digester` → `commons-beanutils`
+
 ## Warning
 
 ⚠️ **This application contains intentional security vulnerabilities and should never be deployed in a production environment.** It is designed solely for educational purposes and CodeQL demonstration.

pom.xml

@@ -41,6 +41,34 @@
             <artifactId>commons-lang3</artifactId>
             <version>3.12.0</version>
         </dependency>
+
+        <!-- Vulnerable dependency (commons-collections 3.2.1) - direct dependency -->
+        <dependency>
+            <groupId>commons-collections</groupId>
+            <artifactId>commons-collections</artifactId>
+            <version>3.2.1</version>
+        </dependency>
+
+        <!-- commons-beanutils also depends on commons-collections 3.2.1 - creates multiple paths -->
+        <dependency>
+            <groupId>commons-beanutils</groupId>
+            <artifactId>commons-beanutils</artifactId>
+            <version>1.9.2</version>
+        </dependency>
+
+        <!-- commons-configuration also depends on commons-collections - creates another path -->
+        <dependency>
+            <groupId>commons-configuration</groupId>
+            <artifactId>commons-configuration</artifactId>
+            <version>1.10</version>
+        </dependency>
+
+        <!-- commons-digester also depends on commons-collections - creates another path -->
+        <dependency>
+            <groupId>commons-digester</groupId>
+            <artifactId>commons-digester</artifactId>
+            <version>2.1</version>
+        </dependency>
 
         <!-- Database connectivity for SQL injection demos -->
         <dependency>