Skip to content

B410: lxml.cssselect has no equivalent in defusedxml #716

@icemac

Description

@icemac

Describe the bug
The message for B410 ("Using lxml.cssselect to parse untrusted XML data is known to be vulnerable to XML attacks. Replace lxml.cssselect with the equivalent defusedxml package.") is misleading: There is no equivalent in the defusedxml package. According to https://github.com/tiran/defusedxml/blob/9ca12a2cd3faf4554b30ac7d380a4ea393469c72/defusedxml/lxml.py#L26-L29 defusedxml.lxml is deprecated and to be be removed.

To Reproduce
Steps to reproduce the behavior:

  1. Have a Python module containing import lxml.cssselect.
  2. Run bandit on it
  3. See error message

Expected behavior
No message should be shown.

Bandit version

bandit 1.7.0
  python version = 3.8.10 (default, May  7 2021, 21:09:28) [Clang 12.0.5 (clang-1205.0.22.9)]

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions