search

bmuschko / gradle-cargo-plugin

Gradle plugin that provides deployment capabilities to local and remote containers via Cargo
Apache License 2.0
258 stars 63 forks source link

Getting some security alerts after importing Cargo plugin #208

Closed xinlake closed 1 year ago

xinlake commented 1 year ago

I use the Cargo plugin to compile RUST code and it works fine. Full script is here

cargo {
    module = "src/main/rust/shadowsocks-rust"
    libname = "sslocal"
    targets = ["arm", "arm64"]
    profile = findProperty("CARGO_PROFILE")?.toString() ?: getCurrentBuildType()
    extraCargoBuildArguments = ["--bin", libname]
    featureSpec.noDefaultBut(
        "stream-cipher",
        "aead-cipher-extra",
        "logging",
        "local-flow-stat",
        "local-dns",
        "aead-cipher-2022"
    )

    exec = { spec, toolchain ->
        def pythonList = ["python3", "python"]
        for (python in pythonList) {
            try {
                Runtime.getRuntime().exec("$python -V >/dev/null 2>&1")
                spec.environment("RUST_ANDROID_GRADLE_PYTHON_COMMAND", "$python")
                project.logger.lifecycle("$python detected.")
                break
            } catch (Exception ignored) {
            }
        }

        spec.environment("RUST_ANDROID_GRADLE_LINKER_WRAPPER_PY", "$projectDir/$module/../linker-wrapper.py")
        spec.environment("RUST_ANDROID_GRADLE_TARGET", "target/${toolchain.target}/$profile/lib${libname}.so")
    }
}

But GitHub prompts security issues

GitHub found 6 vulnerabilities on xinlake/privch's default branch (2 high, 3 moderate, 1 low)
image
xinlake commented 1 year ago

Sorry, I thought these issues might belong other project