PR#4005: Fix bandit "nosec" comments

Merges #4005 https://pagure.io/koji/pull-request/4005 Fixes: #4004 https://pagure.io/koji/issue/4004 Fix bandit warnings
2024-02-06 11:10:53 +01:00 · 2024-02-06 11:10:53 +01:00 · ee07eb7b43
commit ee07eb7b43
parent 167ee017f2 77b7e3a0c9
2 changed files with 6 additions and 3 deletions
--- a/koji/init.py
+++ b/koji/init.py
@ -1503,13 +1503,15 @@ def parse_pom(path=None, contents=None):
    contents = fixEncoding(contents)

    try:
-        xml.sax.parseString(contents, handler)  # nosec - trusted data
+        # trusted data, skipping bandit test
+        xml.sax.parseString(contents, handler)  # nosec
    except xml.sax.SAXParseException:
        # likely an undefined entity reference, so lets try replacing
        # any entity refs we can find and see if we get something parseable
        handler.reset()
        contents = ENTITY_RE.sub('?', contents)
-        xml.sax.parseString(contents, handler)  # nosec - trusted data
+        # trusted data, skipping bandit test
+        xml.sax.parseString(contents, handler)  # nosec

    for field in fields:
        if field not in util.to_list(values.keys()):
--- a/vm/kojivmd
+++ b/vm/kojivmd
@ -751,7 +751,8 @@ class VMExecTask(BaseTaskHandler):
                raise koji.BuildError('unsupported file type: %s' % type)
            koji.ensuredir(os.path.dirname(localpath))
            # closing needs to be used for requests < 2.18.0
-            # nosec - skipping missing timeout, it would be done on VM lifecycle level
+            # skipping missing timeout, it would be done on VM lifecycle level
+            # bypass bandit warning
            with closing(requests.get(remote_url, stream=True)) as response:  # nosec
                response.raise_for_status()
                with open(localpath, 'wb') as f: