PR#4005: Fix bandit "nosec" comments

tkopecek · tkopecek · commit ee07eb7b439f · 2024-02-06T11:10:53.000+01:00
Merges #4005 https://pagure.io/koji/pull-request/4005 Fixes: #4004 https://pagure.io/koji/issue/4004 Fix bandit warnings
diff --git a/koji/__init__.py b/koji/__init__.py
@@ -1503,13 +1503,15 @@ def parse_pom(path=None, contents=None):
     contents = fixEncoding(contents)
 
     try:
-        xml.sax.parseString(contents, handler)  # nosec - trusted data
+        # trusted data, skipping bandit test
+        xml.sax.parseString(contents, handler)  # nosec
     except xml.sax.SAXParseException:
         # likely an undefined entity reference, so lets try replacing
         # any entity refs we can find and see if we get something parseable
         handler.reset()
         contents = ENTITY_RE.sub('?', contents)
-        xml.sax.parseString(contents, handler)  # nosec - trusted data
+        # trusted data, skipping bandit test
+        xml.sax.parseString(contents, handler)  # nosec
 
     for field in fields:
         if field not in util.to_list(values.keys()):
diff --git a/vm/kojivmd b/vm/kojivmd
@@ -751,7 +751,8 @@ class VMExecTask(BaseTaskHandler):
                 raise koji.BuildError('unsupported file type: %s' % type)
             koji.ensuredir(os.path.dirname(localpath))
             # closing needs to be used for requests < 2.18.0
-            # nosec - skipping missing timeout, it would be done on VM lifecycle level
+            # skipping missing timeout, it would be done on VM lifecycle level
+            # bypass bandit warning
             with closing(requests.get(remote_url, stream=True)) as response:  # nosec
                 response.raise_for_status()
                 with open(localpath, 'wb') as f:
