Skip to content

Add vulnerable dependency with multiple paths in dependency graph #5

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Sep 29, 2025
Merged

Add vulnerable dependency with multiple paths in dependency graph #5

merged 5 commits into from
Sep 29, 2025

Conversation

Copy link
Contributor

Copilot AI commented Sep 29, 2025
edited
Loading

Overview

This PR adds a package with known security vulnerabilities (commons-collections:3.2.1) that appears in multiple paths within the dependency graph. This enhancement demonstrates how dependency scanning tools like GitHub Dependabot and CodeQL detect vulnerabilities across complex dependency chains.

What Changed

Added the following Maven dependencies to pom.xml:

  • commons-collections:3.2.1 - Direct dependency with known CVE-2015-7501 deserialization vulnerability
  • commons-beanutils:1.9.2 - Transitively depends on commons-collections:3.2.1
  • commons-digester:2.1 - Depends on commons-beanutils:1.8.3, creating another path to commons-collections
  • commons-configuration:1.10 - Additional dependency for graph complexity

Multiple Dependency Paths

The vulnerable package now appears in three distinct paths:

vulnerable-app
├── commons-collections:3.2.1 (DIRECT - CVE-2015-7501)
├── commons-beanutils:1.9.2
│   └── commons-collections:3.2.1 (TRANSITIVE)
└── commons-digester:2.1
    └── commons-beanutils:1.8.3
        └── commons-collections:3.2.1 (TRANSITIVE)

Verification

Run the following command to see the multiple paths:

mvn dependency:tree -Dverbose | grep -E "commons-collections|commons-beanutils|commons-digester"

Expected output shows commons-collections:3.2.1 appearing multiple times with annotations like "omitted for duplicate", confirming it's pulled through different dependency chains.

Documentation

  • Updated README.md with vulnerability information and verification instructions
  • Added DEPENDENCY_ANALYSIS.md with comprehensive explanation of:
    • Dependency graph structure
    • CVE details (CVE-2015-7501)
    • Security implications
    • Educational context

Why This Matters

In real-world scenarios, vulnerable dependencies often appear through multiple transitive paths, making them:

  • Harder to identify without proper tooling
  • More complex to remediate (requires updating multiple parent dependencies)
  • More likely to be overlooked by basic security scans

This repository now provides a realistic example for testing and demonstrating dependency scanning capabilities.

Testing

  • ✅ All existing tests pass
  • ✅ Build successful (mvn clean compile)
  • ✅ No breaking changes to application functionality

⚠️ Note: This change is intentional for educational and CodeQL demonstration purposes only. This application should never be deployed in a production environment.

Original prompt

This section details on the original issue you should resolve

<issue_title>I need a package listed in the dependency graph, that has a vulnerability, to show up in multiple paths</issue_title>
<issue_description>I need a package listed in the dependency graph, that has a vulnerability, to show up in multiple paths</issue_description>

Comments on the Issue (you are @copilot in this section)

Fixes #4

💬 Share your feedback on Copilot coding agent for the chance to win a $200 gift card! Click here to start the survey.

Copilot AI and others added 4 commits September 29, 2025 21:43
@mickeygousset
Add commons-collections vulnerability in multiple dependency paths
1edca81 
Co-authored-by: mickeygousset <20031479+mickeygousset@users.noreply.github.com>
@mickeygousset
Add comprehensive dependency analysis documentation
e540521 
Co-authored-by: mickeygousset <20031479+mickeygousset@users.noreply.github.com>
@mickeygousset
Fix CVE references in documentation
0f95651 
Co-authored-by: mickeygousset <20031479+mickeygousset@users.noreply.github.com>
@mickeygousset
Remove incorrect CVE reference from documentation
248b685 
Co-authored-by: mickeygousset <20031479+mickeygousset@users.noreply.github.com>
Copilot AI changed the title [WIP] I need a package listed in the dependency graph, that has a vulnerability, to show up in multiple paths Add vulnerable dependency with multiple paths in dependency graph Sep 29, 2025
Copilot AI requested a review from mickeygousset September 29, 2025 21:52
Copilot finished work on behalf of mickeygousset September 29, 2025 21:52
@mickeygousset mickeygousset marked this pull request as ready for review September 29, 2025 21:53
@mickeygousset mickeygousset merged commit f0f8ebc into main Sep 29, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mickeygousset mickeygousset Awaiting requested review from mickeygousset

Assignees

@mickeygousset mickeygousset

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

I need a package listed in the dependency graph, that has a vulnerability, to show up in multiple paths

2 participants

@mickeygousset