SDK Component Governance Guidelines
It is the responsibility of the SDK owner to ensure that the components they uses do not expose vulnerabilities through the SDK.
Taking dependency on components with known vulnerabilities will result in vulnerability reports against the SDK. SDK owners will need to ensure that they keep dependencies updated and monitor the CVE reports against their SDK and their dependencies.
The best way to check the status of the SDK is by using the OWASP Dependency-Check, which checks the National Vulnerability Database (NVD) for reported and assessed vulnerabilities. The Azure-SDK-for-Java uses the OWASP Maven Dependency-Check plugin to assess that status of it's libraries.
To check a library, run the command mvn dependency-check:check from the project directory. e.g.:
C:<repo_path>\azure-sdk-for-java\sdk\tables\azure-data-tables> mvn dependency-check:check
After the command completes, a dependency-check-report.html will be generated within the target directory of the library.
The report will contain the
Note: It is important to understand that the first time this task is executed it may take 20 minutes or more as it downloads and processes the data from the National Vulnerability Database (NVD) hosted by NIST.
While the plugin can be run without any API key, the database download is substantially longer. It is recommended that you request an API Key from NVD. Once you've obtained your API key you can pass it into the command using the -dnvdApiKey=<your_key> flag. It is recommended that your store your API Key as a local environment variable for future use. Do not add your API Key to the library pom file as API keys are not allowed within the repository.