basic security checks with bandit

Fixes: https://pagure.io/koji/issue/3042

util/koji-shadow

@@ -411,7 +411,7 @@ class TrackedBuild(object):
             url = "%s/%s" % (pathinfo.build(self.info), pathinfo.rpm(self.srpm))
             log("Downloading %s" % url)
             # XXX - this is not really the right place for this
-            fsrc = urllib2.urlopen(url)
+            fsrc = urllib2.urlopen(url)  # nosec
             fn = "%s/%s.src.rpm" % (options.workpath, self.nvr)
             koji.ensuredir(os.path.dirname(fn))
             fdst = open(fn, 'wb')
@@ -856,7 +856,7 @@ class BuildTracker(object):
                 koji.ensuredir(os.path.dirname(dst))
                 os.chown(os.path.dirname(dst), 48, 48)  # XXX - hack
                 log("Downloading %s to %s" % (url, dst))
-                fsrc = urllib2.urlopen(url)
+                fsrc = urllib2.urlopen(url)  # nosec
                 fdst = open(fn, 'wb')
                 shutil.copyfileobj(fsrc, fdst)
                 fsrc.close()
@@ -870,7 +870,7 @@ class BuildTracker(object):
             koji.ensuredir(options.workpath)
             dst = "%s/%s" % (options.workpath, fn)
             log("Downloading %s to %s..." % (url, dst))
-            fsrc = urllib2.urlopen(url)
+            fsrc = urllib2.urlopen(url)  # nosec
             fdst = open(dst, 'wb')
             shutil.copyfileobj(fsrc, fdst)
             fsrc.close()

util/kojira

@@ -486,7 +486,7 @@ class RepoManager(object):
             self.logger.debug('Checking external url: %s' % arch_url)
             try:
                 r = requests.get(arch_url, timeout=5)
-                root = ElementTree.fromstring(r.text)
+                root = ElementTree.fromstring(r.text)  # nosec
                 ts_elements = root.iter('{http://linux.duke.edu/metadata/repo}timestamp')
                 arch_ts = max([round(float(child.text)) for child in ts_elements])
                 self.external_repo_ts[arch_url] = arch_ts