remove B320 (xml_bad_etree) and B410 (import_lxml)

bandit/blacklists/calls.py

@@ -256,13 +256,6 @@
 | B319 | xml_bad_pulldom     | - xml.dom.pulldom.parse            | Medium    |
 |      |                     | - xml.dom.pulldom.parseString      |           |
 +------+---------------------+------------------------------------+-----------+
-| B320 | xml_bad_etree       | - lxml.etree.parse                 | Medium    |
-|      |                     | - lxml.etree.fromstring            |           |
-|      |                     | - lxml.etree.RestrictedElement     |           |
-|      |                     | - lxml.etree.GlobalParserTLS       |           |
-|      |                     | - lxml.etree.getDefaultParser      |           |
-|      |                     | - lxml.etree.check_docinfo         |           |
-+------+---------------------+------------------------------------+-----------+
 
 B321: ftplib
 ------------
@@ -615,27 +608,6 @@ def gen_blacklist():
         )
     )
 
-    sets.append(
-        utils.build_conf_dict(
-            "xml_bad_etree",
-            "B320",
-            issue.Cwe.IMPROPER_INPUT_VALIDATION,
-            [
-                "lxml.etree.parse",
-                "lxml.etree.fromstring",
-                "lxml.etree.RestrictedElement",
-                "lxml.etree.GlobalParserTLS",
-                "lxml.etree.getDefaultParser",
-                "lxml.etree.check_docinfo",
-            ],
-            (
-                "Using {name} to parse untrusted XML data is known to be "
-                "vulnerable to XML attacks. Replace {name} with its "
-                "defusedxml equivalent function."
-            ),
-        )
-    )
-
     # end of XML tests
 
     sets.append(

bandit/blacklists/imports.py

@@ -130,18 +130,6 @@
 | B409 | import_xml_pulldom  | - xml.dom.pulldom                  | low       |
 +------+---------------------+------------------------------------+-----------+
 
-B410: import_lxml
------------------
-
-Using various methods to parse untrusted XML data is known to be vulnerable to
-XML attacks. Replace vulnerable imports with the equivalent defusedxml package.
-
-+------+---------------------+------------------------------------+-----------+
-| ID   |  Name               |  Imports                           |  Severity |
-+======+=====================+====================================+===========+
-| B410 | import_lxml         | - lxml                             | low       |
-+------+---------------------+------------------------------------+-----------+
-
 B411: import_xmlrpclib
 ----------------------
 
@@ -297,11 +285,6 @@ def gen_blacklist():
         "defusedxml package, or make sure defusedxml.defuse_stdlib() "
         "is called."
     )
-    lxml_msg = (
-        "Using {name} to parse untrusted XML data is known to be "
-        "vulnerable to XML attacks. Replace {name} with the "
-        "equivalent defusedxml package."
-    )
 
     sets.append(
         utils.build_conf_dict(
@@ -358,17 +341,6 @@ def gen_blacklist():
         )
     )
 
-    sets.append(
-        utils.build_conf_dict(
-            "import_lxml",
-            "B410",
-            issue.Cwe.IMPROPER_INPUT_VALIDATION,
-            ["lxml"],
-            lxml_msg,
-            "LOW",
-        )
-    )
-
     sets.append(
         utils.build_conf_dict(
             "import_xmlrpclib",

tests/functional/test_functional.py

@@ -556,12 +556,6 @@ def test_xml(self):
         }
         self.check_example("xml_expatbuilder.py", expect)
 
-        expect = {
-            "SEVERITY": {"UNDEFINED": 0, "LOW": 3, "MEDIUM": 1, "HIGH": 0},
-            "CONFIDENCE": {"UNDEFINED": 0, "LOW": 0, "MEDIUM": 0, "HIGH": 4},
-        }
-        self.check_example("xml_lxml.py", expect)
-
         expect = {
             "SEVERITY": {"UNDEFINED": 0, "LOW": 2, "MEDIUM": 2, "HIGH": 0},
             "CONFIDENCE": {"UNDEFINED": 0, "LOW": 0, "MEDIUM": 0, "HIGH": 4},