PR#4005: Fix bandit "nosec" comments

Merges #4005
https://pagure.io/koji/pull-request/4005

Fixes: #4004
https://pagure.io/koji/issue/4004
Fix bandit warnings

Author: tkopecek

koji/__init__.py

@@ -1503,13 +1503,15 @@ def parse_pom(path=None, contents=None):
     contents = fixEncoding(contents)
 
     try:
-        xml.sax.parseString(contents, handler)  # nosec - trusted data
+        # trusted data, skipping bandit test
+        xml.sax.parseString(contents, handler)  # nosec
     except xml.sax.SAXParseException:
         # likely an undefined entity reference, so lets try replacing
         # any entity refs we can find and see if we get something parseable
         handler.reset()
         contents = ENTITY_RE.sub('?', contents)
-        xml.sax.parseString(contents, handler)  # nosec - trusted data
+        # trusted data, skipping bandit test
+        xml.sax.parseString(contents, handler)  # nosec
 
     for field in fields:
         if field not in util.to_list(values.keys()):

vm/kojivmd

@@ -751,7 +751,8 @@ class VMExecTask(BaseTaskHandler):
                 raise koji.BuildError('unsupported file type: %s' % type)
             koji.ensuredir(os.path.dirname(localpath))
             # closing needs to be used for requests < 2.18.0
-            # nosec - skipping missing timeout, it would be done on VM lifecycle level
+            # skipping missing timeout, it would be done on VM lifecycle level
+            # bypass bandit warning
             with closing(requests.get(remote_url, stream=True)) as response:  # nosec
                 response.raise_for_status()
                 with open(localpath, 'wb') as f: