misc: Bandit scan issue for lxml #8716

dongpingx · 2024-08-28T08:54:48Z

This patch is to fix Bandit scan issue b313-b320 which is vulnerable to XML attacks when parsing untrusted XML data.

I replace lxml.etree with the equivalent defusedxml package.

I confirm it works after making a Bandit scan, building the configurator and compiling the acrn.

Tracked-On: ACRN-10179

yuhuanX · 2024-08-29T01:06:14Z

@dongpingx ，this is opensource acrn, valid Tracked-On is github issue number.

yuhuanX · 2024-08-29T02:21:40Z

start to build

yuhuanX · 2024-08-29T06:20:28Z

start to run premerge test

This patch is to fix Bandit scan issue b313-b320 which is vulnerable to XML attacks when parsing untrusted XML data. I replace lxml.etree with the equivalent defusedxml package. I confirm it works after making a Bandit scan, building the configurator and compiling the acrn. Signed-off-by: dongpingx <dongpingx.wu@intel.com> Tracked-On: projectacrn#8717

yuhuanX · 2024-09-11T01:39:13Z

Can one of the admins verify this patch?

dongpingx requested review from terryzouhao and NanlinXie as code owners August 28, 2024 08:54

acrnsi-robot added the master label Aug 28, 2024

dongpingx force-pushed the fix_acrn-10179-bandit branch from 42e7063 to b0f9a36 Compare August 29, 2024 06:27

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

misc: Bandit scan issue for lxml #8716

misc: Bandit scan issue for lxml #8716

dongpingx commented Aug 28, 2024

yuhuanX commented Aug 29, 2024

yuhuanX commented Aug 29, 2024

yuhuanX commented Aug 29, 2024

yuhuanX commented Sep 11, 2024

misc: Bandit scan issue for lxml #8716

Are you sure you want to change the base?

misc: Bandit scan issue for lxml #8716

Conversation

dongpingx commented Aug 28, 2024

yuhuanX commented Aug 29, 2024

yuhuanX commented Aug 29, 2024

yuhuanX commented Aug 29, 2024

yuhuanX commented Sep 11, 2024