Add transitive dependencies with vulnerabilities to demonstrate GitHub dependency graph ellipsis menu

DEPENDENCY_ANALYSIS.md

@@ -2,9 +2,9 @@
 
 ## Vulnerable Dependency in Multiple Paths
 
-This project demonstrates a vulnerable dependency (`commons-collections:3.2.1`) appearing in multiple paths in the dependency graph.
+This project demonstrates vulnerable dependencies that appear in multiple dependency graph paths, along with additional vulnerable packages that have their own transitive dependencies.
 
-### The Vulnerable Package
+### Primary Vulnerable Package: commons-collections
 
 **Package**: `commons-collections:3.2.1`
 
@@ -37,6 +37,32 @@ The `commons-collections:3.2.1` package appears in the following paths in the de
            └── commons-collections:3.2.1
    ```
 
+### Additional Vulnerable Packages
+
+This project also includes other vulnerable packages to demonstrate a more complex dependency graph:
+
+4. **commons-fileupload:1.3.1**
+   - **Known Vulnerabilities**: CVE-2016-1000031 (File upload vulnerability)
+   - **Transitive Dependencies**: Brings in `commons-io:2.2`
+   ```
+   vulnerable-app
+   └── commons-fileupload:1.3.1
+       └── commons-io:2.2
+   ```
+
+5. **commons-codec:1.6**
+   - Older version that may have security issues
+   - Direct dependency
+
+6. **commons-dbcp:1.4**
+   - Database connection pooling library
+   - **Transitive Dependencies**: Brings in `commons-pool:1.5.4`
+   ```
+   vulnerable-app
+   └── commons-dbcp:1.4
+       └── commons-pool:1.5.4
+   ```
+
 ### Verification
 
 To verify that the package appears in multiple paths, run:
@@ -55,6 +81,11 @@ Example output:
 [INFO] +- commons-digester:commons-digester:jar:2.1:compile
 [INFO] |  +- (commons-beanutils:commons-beanutils:jar:1.8.3:compile - omitted for conflict with 1.9.2)
 [INFO] |     \- (commons-collections:commons-collections:jar:3.2.1:compile - would be included)
+[INFO] +- commons-fileupload:commons-fileupload:jar:1.3.1:compile
+[INFO] |  \- commons-io:commons-io:jar:2.2:compile
+[INFO] +- commons-codec:commons-codec:jar:1.6:compile
+[INFO] +- commons-dbcp:commons-dbcp:jar:1.4:compile
+[INFO] |  \- commons-pool:commons-pool:jar:1.5.4:compile
 ```
 
 The key indicators are:
@@ -69,7 +100,11 @@ In real-world scenarios, vulnerable dependencies often appear in multiple paths
 - Harder to remediate (requires updating multiple parent dependencies)
 - More likely to be overlooked by basic security scanning
 
-This repository intentionally includes this pattern to demonstrate how dependency scanning tools like GitHub's Dependabot and CodeQL can detect such vulnerabilities across the entire dependency graph.
+This repository intentionally includes this pattern to demonstrate how dependency scanning tools like GitHub's Dependabot and CodeQL can detect such vulnerabilities across the entire dependency graph. By including multiple vulnerable packages with their own transitive dependencies, the repository also demonstrates:
+- How vulnerabilities cascade through dependency chains
+- The importance of Software Composition Analysis (SCA)
+- How GitHub's dependency graph visualizes these complex relationships
+- The "..." ellipsis menu that appears in GitHub's UI when packages have additional information, vulnerabilities, or multiple dependency paths. This menu provides access to vulnerability details, remediation suggestions, and dependency path information.
 
 ## Viewing the Full Dependency Graph
 

README.md

@@ -24,10 +24,15 @@ This application contains the following types of security vulnerabilities:
 4. **LDAP Injection** - Unescaped user input in LDAP filters
 5. **Weak Cryptography** - Use of MD5 and weak random number generation
 6. **Hard-coded Secrets** - Embedded credentials and encryption keys
-7. **Vulnerable Dependencies** - Uses `commons-collections:3.2.1` which has known deserialization vulnerabilities (CVE-2015-7501). This dependency appears in multiple paths in the dependency graph:
-   - As a direct dependency
-   - As a transitive dependency through `commons-beanutils:1.9.2`
-   - As a transitive dependency through `commons-digester:2.1` → `commons-beanutils:1.8.3`
+7. **Vulnerable Dependencies** - Multiple packages with known vulnerabilities:
+   - `commons-collections:3.2.1` - Deserialization vulnerabilities (CVE-2015-7501), appears in multiple paths:
+     - As a direct dependency
+     - As a transitive dependency through `commons-beanutils:1.9.2`
+     - As a transitive dependency through `commons-digester:2.1` → `commons-beanutils:1.8.3`
+   - `commons-fileupload:1.3.1` - Arbitrary file upload vulnerabilities (CVE-2016-1000031)
+   - `commons-codec:1.6` - Older version with potential vulnerabilities
+   - `commons-dbcp:1.4` - Database connection pool with transitive dependencies
+   - Additional transitive vulnerabilities through `commons-io:2.2` and `commons-pool:1.5.4`
 
 ## CodeQL Analysis
 

pom.xml

@@ -69,6 +69,27 @@
             <artifactId>commons-digester</artifactId>
             <version>2.1</version>
         </dependency>
+
+        <!-- commons-fileupload has known vulnerabilities (CVE-2016-1000031) - adds another vulnerable package -->
+        <dependency>
+            <groupId>commons-fileupload</groupId>
+            <artifactId>commons-fileupload</artifactId>
+            <version>1.3.1</version>
+        </dependency>
+
+        <!-- commons-codec older version - adds another transitive dependency path -->
+        <dependency>
+            <groupId>commons-codec</groupId>
+            <artifactId>commons-codec</artifactId>
+            <version>1.6</version>
+        </dependency>
+
+        <!-- commons-dbcp with commons-pool - adds more transitive dependencies -->
+        <dependency>
+            <groupId>commons-dbcp</groupId>
+            <artifactId>commons-dbcp</artifactId>
+            <version>1.4</version>
+        </dependency>
 
         <!-- Database connectivity for SQL injection demos -->
         <dependency>