Skip to content

Latest commit

 

History

History
132 lines (100 loc) · 4.97 KB

DEPENDENCY_ANALYSIS.md

File metadata and controls

132 lines (100 loc) · 4.97 KB

Dependency Analysis

Vulnerable Dependency in Multiple Paths

This project demonstrates vulnerable dependencies that appear in multiple dependency graph paths, along with additional vulnerable packages that have their own transitive dependencies.

Primary Vulnerable Package: commons-collections

Package: commons-collections:3.2.1

Known Vulnerabilities:

  • CVE-2015-7501: Apache Commons Collections InvokerTransformer class allows remote attackers to execute arbitrary Java code via crafted serialized objects through unsafe deserialization
  • This vulnerability affects commons-collections versions 3.0 through 3.2.1

Dependency Paths

The commons-collections:3.2.1 package appears in the following paths in the dependency graph:

  1. Direct Dependency

    vulnerable-app
└── commons-collections:3.2.1

  2. Transitive Dependency via commons-beanutils

    vulnerable-app
└── commons-beanutils:1.9.2
    └── commons-collections:3.2.1

  3. Transitive Dependency via commons-digester

    vulnerable-app
└── commons-digester:2.1
    └── commons-beanutils:1.8.3
        └── commons-collections:3.2.1

Additional Vulnerable Packages

This project also includes other vulnerable packages to demonstrate a more complex dependency graph:

  1. commons-fileupload:1.3.1

    • Known Vulnerabilities: CVE-2016-1000031 (File upload vulnerability)
    • Transitive Dependencies: Brings in commons-io:2.2
    vulnerable-app
└── commons-fileupload:1.3.1
    └── commons-io:2.2

  2. commons-codec:1.6

    • Older version that may have security issues
    • Direct dependency

  3. commons-dbcp:1.4

    • Database connection pooling library
    • Transitive Dependencies: Brings in commons-pool:1.5.4
    vulnerable-app
└── commons-dbcp:1.4
    └── commons-pool:1.5.4

Verification

To verify that the package appears in multiple paths, run:

mvn dependency:tree -Dverbose

Look for lines showing commons-collections with annotations like "omitted for duplicate" which indicates it's being pulled in through multiple paths.

Example output:

[INFO] +- commons-collections:commons-collections:jar:3.2.1:compile
[INFO] +- commons-beanutils:commons-beanutils:jar:1.9.2:compile
[INFO] |  \- (commons-collections:commons-collections:jar:3.2.1:compile - omitted for duplicate)
[INFO] +- commons-digester:commons-digester:jar:2.1:compile
[INFO] |  +- (commons-beanutils:commons-beanutils:jar:1.8.3:compile - omitted for conflict with 1.9.2)
[INFO] |     \- (commons-collections:commons-collections:jar:3.2.1:compile - would be included)
[INFO] +- commons-fileupload:commons-fileupload:jar:1.3.1:compile
[INFO] |  \- commons-io:commons-io:jar:2.2:compile
[INFO] +- commons-codec:commons-codec:jar:1.6:compile
[INFO] +- commons-dbcp:commons-dbcp:jar:1.4:compile
[INFO] |  \- commons-pool:commons-pool:jar:1.5.4:compile

The key indicators are:

  • "omitted for duplicate" means the same dependency version is already included from another path
  • "omitted for conflict" means a different version of the same dependency is already included from another path
  • Both indicate multiple paths to the same or similar dependencies

Why This Matters

In real-world scenarios, vulnerable dependencies often appear in multiple paths through the dependency graph. This makes them:

  • More challenging to identify
  • Harder to remediate (requires updating multiple parent dependencies)
  • More likely to be overlooked by basic security scanning

This repository intentionally includes this pattern to demonstrate how dependency scanning tools like GitHub's Dependabot and CodeQL can detect such vulnerabilities across the entire dependency graph. By including multiple vulnerable packages with their own transitive dependencies, the repository also demonstrates:

  • How vulnerabilities cascade through dependency chains
  • The importance of Software Composition Analysis (SCA)
  • How GitHub's dependency graph visualizes these complex relationships
  • The "..." ellipsis menu that appears in GitHub's UI when packages have additional information, vulnerabilities, or multiple dependency paths. This menu provides access to vulnerability details, remediation suggestions, and dependency path information.

Viewing the Full Dependency Graph

To see the complete dependency tree:

# Standard view (duplicates are omitted)
mvn dependency:tree

# Verbose view (shows all paths including duplicates)
mvn dependency:tree -Dverbose

# Filter to see only commons-related dependencies
mvn dependency:tree -Dverbose | grep commons

Security Recommendations

⚠️ For educational purposes only

In a production environment, you would:

  1. Upgrade to a patched version of the vulnerable library
  2. If no patch exists, find alternative libraries
  3. Use dependency scanning tools to continuously monitor for vulnerabilities
  4. Implement Software Composition Analysis (SCA) in your CI/CD pipeline