You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Bandit is using xml.etree which is not recommended.
Reproduction steps
If you run bandit on itself
`bandit -r bandit`
you'll get the following>> Issue: [B405:blacklist] Using cElementTree to parse untrusted XML data is known to be vulnerable to XML attacks. Replace cElementTree with the equivalent defusedxml package, or make sure defusedxml.defuse_stdlib() is called. Severity: Low Confidence: High CWE: CWE-20 (https://cwe.mitre.org/data/definitions/20.html) Location: bandit/formatters/xml.py:40:0 More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_imports.html#b405-import-xml-etree39 import sys40 from xml.etree import cElementTree as ET4142 from bandit.core import docs_utils
Expected behavior
Replace this with defusedxml
Bandit version
1.7.4 (Default)
Python version
3.8
Additional context
No response
The text was updated successfully, but these errors were encountered:
* Used nosec for false various positives.
1. xml.etree is used only for XML generation not parsing
2. "0.0.0.0" is used in the plugin itself
3. Various strings of temp directories are used in the plugin
itself.
4. The subprocess call does use user input, but only from
the command line itself that is running baseline. Although
maybe this could be argued as an issue though.
* Fixed the empty try-except-pass to have code in the except
block.
FixesPyCQA#948
Signed-off-by: Eric Brown <[email protected]>
* Used nosec for false various positives.
1. xml.etree is used only for XML generation not parsing
2. "0.0.0.0" is used in the plugin itself
3. Various strings of temp directories are used in the plugin
itself.
4. The subprocess call does use user input, but only from
the command line itself that is running baseline. Although
maybe this could be argued as an issue though.
* Fixed the empty try-except-pass to have code in the except
block.
Fixes#948
Signed-off-by: Eric Brown <[email protected]>
Describe the bug
Bandit is using xml.etree which is not recommended.
Reproduction steps
Expected behavior
Replace this with
defusedxml
Bandit version
1.7.4 (Default)
Python version
3.8
Additional context
No response
The text was updated successfully, but these errors were encountered: