fix: Replace xml.etree.ElementTree with defusedxml.ElementTree (#1430)

anthonyharrison · web-flow · commit b02eddc5ca9a · 2021-10-28T14:53:46.000-07:00
* Fixes #1398
diff --git a/cve_bin_tool/sbom_manager/__init__.py b/cve_bin_tool/sbom_manager/__init__.py
@@ -2,11 +2,12 @@
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 import sqlite3
-import xml.etree.ElementTree as ET
 from collections import defaultdict
 from logging import Logger
 from typing import DefaultDict, Dict, List, Optional
 
+import defusedxml.ElementTree as ET
+
 from cve_bin_tool.cvedb import CVEDB
 from cve_bin_tool.input_engine import TriageData
 from cve_bin_tool.log import LOGGER
diff --git a/cve_bin_tool/sbom_manager/cyclonedx_parser.py b/cve_bin_tool/sbom_manager/cyclonedx_parser.py
@@ -2,9 +2,10 @@
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 import json
-import xml.etree.ElementTree as ET
 from typing import List
 
+import defusedxml.ElementTree as ET
+
 
 class CycloneParser:
     def __init__(self):
diff --git a/cve_bin_tool/sbom_manager/spdx_parser.py b/cve_bin_tool/sbom_manager/spdx_parser.py
@@ -3,9 +3,9 @@
 
 import json
 import re
-import xml.etree.ElementTree as ET
 from typing import List
 
+import defusedxml.ElementTree as ET
 import yaml
 
 from cve_bin_tool.log import LOGGER
diff --git a/cve_bin_tool/sbom_manager/swid_parser.py b/cve_bin_tool/sbom_manager/swid_parser.py
@@ -1,9 +1,10 @@
 # Copyright (C) 2021 Anthony Harrison
 # SPDX-License-Identifier: GPL-3.0-or-later
 
-import xml.etree.ElementTree as ET
 from typing import List
 
+import defusedxml.ElementTree as ET
+
 
 class SWIDParser:
     def __init__(self):
diff --git a/requirements.csv b/requirements.csv
@@ -16,3 +16,4 @@ pytest,py
 srossross_not_in_db,rpmfile
 indygreg_not_in_db,zstandard
 nir0s_not_in_db,distro
+tiran_not_in_db,defusedxml
diff --git a/requirements.txt b/requirements.txt
@@ -15,3 +15,4 @@ rpmfile>=1.0.6
 zstandard; python_version >= "3.4"
 reportlab
 distro
+defusedxml
