Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't believe you can import
fromstring
,iterparse
, orparse
as a result this doesn't do what you want.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah sorry, looks like B314 rules already cover it. dumb me.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What do you think, because B405 rules are too general and make the entire contents of the
ElementTree
module seem dangerous from a security perspective even though there are functions or classes that are not dangerous, for exampleElement
and that is needed for typing. Do I need to add all the functions or classes that are dangerous and not include those that have nothing to do with security as I have listed above?Before the changes in this PR, this code will warn B405 rules. But after changes in this PR, this code will not warn B405.
And after changes in this PR too, this code will warn B405, although bandit only warn the
fromstring
and the rest is not. Looks weird.If there was a way for bandit to raise a warning to a module but some of the contents of that module didn't raise a warning things will become simple and and I don't have to give
# nosec: B405
everywhere.This code will result in
ModuleNotFoundError
.instead someone will use this