Bump bandit and make oslo.messaging compatible with latest rules

Move from lxml lib direct usage to defusedxml lib [1] to fix B320 [2] [1] https://pypi.org/project/defusedxml/0.7.1/ [2] https://bandit.readthedocs.io/en/1.7.5/blacklists/blacklist_calls.html#b313-b320-xml Change-Id: Id1faa9227415884d15c737ace5a0e0e5de3afa81
2023-05-19 17:18:03 +02:00 · 2023-05-19 17:18:03 +02:00 · f8e73e2e23
parent f442d815c7
commit f8e73e2e23
3 changed files with 4 additions and 3 deletions
--- a/oslo_vmware/image_util.py
+++ b/oslo_vmware/image_util.py
@ -13,7 +13,7 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.

-from lxml import etree  # nosec (bandit bug 1582516)
+from defusedxml.lxml import parse


 def _get_vmdk_name_from_ovf(root):
@ -27,4 +27,4 @@ def _get_vmdk_name_from_ovf(root):

 def get_vmdk_name_from_ovf(ovf_handle):
    """Get the vmdk name from the given ovf descriptor."""
-    return _get_vmdk_name_from_ovf(etree.parse(ovf_handle).getroot())
+    return _get_vmdk_name_from_ovf(parse(ovf_handle).getroot())
--- a/requirements.txt
+++ b/requirements.txt
@ -14,6 +14,7 @@ oslo.utils>=3.33.0 # Apache-2.0
 PyYAML>=3.13 # MIT

 lxml>=4.5.0 # BSD
+defusedxml>=0.7.1 # BSD
 suds-community>=0.6 # LGPLv3+
 eventlet!=0.18.3,!=0.20.1,>=0.18.2 # MIT
 requests>=2.14.2 # Apache-2.0
--- a/test-requirements.txt
+++ b/test-requirements.txt
@ -13,7 +13,7 @@ stestr>=2.0.0 # Apache-2.0
 #  [testenv:cover]
 #  deps = {[testenv]deps} coverage
 coverage!=4.4,>=4.0 # Apache-2.0
-bandit>=1.6.0,<1.7.0 # Apache-2.0
+bandit>=1.7.0,<1.8.0 # Apache-2.0
 ddt>=1.0.1 # MIT
 oslo.context>=2.19.2 # Apache-2.0