Getting some security alerts after importing Cargo plugin

Question

Getting some security alerts after importing Cargo plugin

xinlake opened this issue 2 years ago · 1 comments

I use the Cargo plugin to compile RUST code and it works fine. Full script is here

cargo {
    module = "src/main/rust/shadowsocks-rust"
    libname = "sslocal"
    targets = ["arm", "arm64"]
    profile = findProperty("CARGO_PROFILE")?.toString() ?: getCurrentBuildType()
    extraCargoBuildArguments = ["--bin", libname]
    featureSpec.noDefaultBut(
        "stream-cipher",
        "aead-cipher-extra",
        "logging",
        "local-flow-stat",
        "local-dns",
        "aead-cipher-2022"
    )

    exec = { spec, toolchain ->
        def pythonList = ["python3", "python"]
        for (python in pythonList) {
            try {
                Runtime.getRuntime().exec("$python -V >/dev/null 2>&1")
                spec.environment("RUST_ANDROID_GRADLE_PYTHON_COMMAND", "$python")
                project.logger.lifecycle("$python detected.")
                break
            } catch (Exception ignored) {
            }
        }

        spec.environment("RUST_ANDROID_GRADLE_LINKER_WRAPPER_PY", "$projectDir/$module/../linker-wrapper.py")
        spec.environment("RUST_ANDROID_GRADLE_TARGET", "target/${toolchain.target}/$profile/lib${libname}.so")
    }
}

But GitHub prompts security issues

GitHub found 6 vulnerabilities on xinlake/privch's default branch (2 high, 3 moderate, 1 low)

Answer 1 · 2023-04-05T12:32:40.000Z

Sorry, I thought these issues might belong other project