Bump bandit and make oslo.messaging compatible with latest rules
Move from lxml lib direct usage to defusedxml lib [1] to fix B320 [2] [1] https://pypi.org/project/defusedxml/0.7.1/ [2] https://bandit.readthedocs.io/en/1.7.5/blacklists/blacklist_calls.html#b313-b320-xml Change-Id: Id1faa9227415884d15c737ace5a0e0e5de3afa81
This commit is contained in:
parent
f442d815c7
commit
f8e73e2e23
|
@ -13,7 +13,7 @@
|
|||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
from lxml import etree # nosec (bandit bug 1582516)
|
||||
from defusedxml.lxml import parse
|
||||
|
||||
|
||||
def _get_vmdk_name_from_ovf(root):
|
||||
|
@ -27,4 +27,4 @@ def _get_vmdk_name_from_ovf(root):
|
|||
|
||||
def get_vmdk_name_from_ovf(ovf_handle):
|
||||
"""Get the vmdk name from the given ovf descriptor."""
|
||||
return _get_vmdk_name_from_ovf(etree.parse(ovf_handle).getroot())
|
||||
return _get_vmdk_name_from_ovf(parse(ovf_handle).getroot())
|
||||
|
|
|
@ -14,6 +14,7 @@ oslo.utils>=3.33.0 # Apache-2.0
|
|||
PyYAML>=3.13 # MIT
|
||||
|
||||
lxml>=4.5.0 # BSD
|
||||
defusedxml>=0.7.1 # BSD
|
||||
suds-community>=0.6 # LGPLv3+
|
||||
eventlet!=0.18.3,!=0.20.1,>=0.18.2 # MIT
|
||||
requests>=2.14.2 # Apache-2.0
|
||||
|
|
|
@ -13,7 +13,7 @@ stestr>=2.0.0 # Apache-2.0
|
|||
# [testenv:cover]
|
||||
# deps = {[testenv]deps} coverage
|
||||
coverage!=4.4,>=4.0 # Apache-2.0
|
||||
bandit>=1.6.0,<1.7.0 # Apache-2.0
|
||||
bandit>=1.7.0,<1.8.0 # Apache-2.0
|
||||
ddt>=1.0.1 # MIT
|
||||
oslo.context>=2.19.2 # Apache-2.0
|
||||
|
||||
|
|
Loading…
Reference in New Issue