Potential fix for code scanning alert no. 74: Unsafe shell command constructed from library input

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Signed-off-by: Derek Hower <[email protected]>

Author: dhower-qc

tools/gems/udb/lib/udb/resolver.rb

@@ -77,10 +77,10 @@ def any_newer?(target, deps)
     end
 
     # run command in the shell. raise if exit is not zero
-    sig { params(cmd: String).void }
+    sig { params(cmd: T::Array[String]).void }
     def run(cmd)
-      puts cmd
-      system cmd
+      puts cmd.join(" ")
+      system(*cmd)
       raise unless $?.success?
     end
 
@@ -149,7 +149,14 @@ def merge_arch(
 
       if any_newer?(gen_path / "arch" / config_name / ".stamp", deps)
         udb_gem_path = Bundler.definition.specs.find { |s| s.name == "udb" }.full_gem_path
-        run "#{python_path} #{udb_gem_path}/python/yaml_resolver.py merge #{arch_path} #{config_yaml["arch_overlay"]} #{gen_path}/arch/#{config_name}"
+        run [
+          python_path.to_s,
+          "#{udb_gem_path}/python/yaml_resolver.py",
+          "merge",
+          arch_path.to_s,
+          config_yaml["arch_overlay"].to_s,
+          "#{gen_path}/arch/#{config_name}"
+        ]
         FileUtils.touch(gen_path / "arch" / config_name / ".stamp")
       end
     end