The fat-aar-android software detects known vulnerabilities. Is there any official fix plan? - Githubissues

kezong / fat-aar-android

A gradle plugin that merge dependencies into the final aar file works with AGP 3.+

MIT License

3.13k stars 621 forks source link

The fat-aar-android software detects known vulnerabilities. Is there any official fix plan? #383

Open yinsiye opened 2 years ago

yinsiye commented 2 years ago

Describe the issue The fat-aar-android software detects known vulnerabilities. Is there any official fix plan?

Build Environment

Fat-aar Version: [e.g. 1.3.4 - 1.3.8]

Component	Version	CVE	CVSS Version	CVSS
gradle	4.0	CVE-2019-11065	3.0	5.9
gradle	4.0	CVE-2019-16370	3.0	5.9
gradle	4.0	CVE-2019-15052	3.0	9.8
gradle	4.0	CVE-2020-11979	3.0	7.5
gradle	4.0	CVE-2021-29429	3.0	5.5
gradle	4.0	CVE-2021-29428	3.0	7.8
gradle	4.0	CVE-2021-32751	3.0	7.5
guava	20.0	CVE-2018-10237	3.0	5.9
guava	20.0	CVE-2020-8908	3.0	3.3
libjpeg-turbo	1.5.3	CVE-2018-14498	3.0	6.5
libjpeg-turbo	1.5.3	CVE-2020-17541	3.0	8.8