[flake8-bandit] Remove suspicious-lxml-import (S410)

[charliermarsh]

Summary

The lxml library has been modified to address known vulnerabilities and unsafe defaults. As such, the defusedxml
library is no longer necessary, defusedxml has deprecated its lxml module.

Closes #10030.

[github-actions]

ruff-ecosystem results

Linter (stable)

ℹ️ ecosystem check detected linter changes. (+26 -0 violations, +0 -0 fixes in 2 projects; 1 project error; 40 projects unchanged)

aws/aws-sam-cli (+22 -0 violations, +0 -0 fixes)

+ samcli/commands/build/build_context.py:581:46: E741 Ambiguous variable name: `l`
+ samcli/commands/build/build_context.py:5:1: I001 [*] Import block is un-sorted or un-formatted
+ samcli/commands/build/build_context.py:610:21: E741 Ambiguous variable name: `l`
+ samcli/commands/build/build_context.py:642:46: E741 Ambiguous variable name: `l`
+ samcli/commands/build/command.py:25:5: F401 [*] `samcli.commands._utils.options.terraform_plan_file_option` imported but unused
+ samcli/commands/build/command.py:5:1: I001 [*] Import block is un-sorted or un-formatted
+ samcli/commands/build/core/options.py:5:1: I001 [*] Import block is un-sorted or un-formatted
+ samcli/lib/build/app_builder.py:1003:28: PLR2004 Magic value used in comparison, consider replacing `-32601` with a constant variable
+ samcli/lib/build/app_builder.py:45:44: F401 [*] `samcli.local.docker.exceptions.ContainerNotStartableException` imported but unused
+ samcli/lib/build/app_builder.py:5:1: I001 [*] Import block is un-sorted or un-formatted
+ samcli/lib/build/app_builder.py:991:16: PLR2004 Magic value used in comparison, consider replacing `400` with a constant variable
+ samcli/lib/build/app_builder.py:991:34: PLR2004 Magic value used in comparison, consider replacing `500` with a constant variable
+ samcli/lib/build/app_builder.py:995:28: PLR2004 Magic value used in comparison, consider replacing `505` with a constant variable
+ samcli/lib/build/build_graph.py:5:1: I001 [*] Import block is un-sorted or un-formatted
+ samcli/lib/build/build_strategy.py:30:51: F401 [*] `samcli.lib.utils.architecture.ARM64` imported but unused
+ samcli/lib/build/build_strategy.py:5:1: I001 [*] Import block is un-sorted or un-formatted
+ samcli/lib/build/bundler.py:10:50: F401 [*] `samcli.commands.local.lib.exceptions.InvalidHandlerPathError` imported but unused
+ samcli/lib/build/bundler.py:7:27: F401 [*] `pathlib.PosixPath` imported but unused
+ samcli/lib/build/dependency_hash_generator.py:3:1: I001 [*] Import block is un-sorted or un-formatted
+ samcli/lib/build/utils.py:5:1: I001 [*] Import block is un-sorted or un-formatted
+ samcli/lib/build/workflow_config.py:5:1: I001 [*] Import block is un-sorted or un-formatted
+ samcli/lib/build/workflow_config.py:7:42: F401 [*] `typing.Tuple` imported but unused

pypa/pip (+4 -0 violations, +0 -0 fixes)

+ src/pip/_internal/operations/build/build_tracker.py:6:47: F401 [*] `typing.Set` imported but unused
+ src/pip/_internal/operations/build/build_tracker.py:8:39: F401 [*] `pip._internal.models.link.Link` imported but unused
+ src/pip/_internal/operations/build/wheel_legacy.py:43:15: UP032 [*] Use f-string instead of `format` call
+ src/pip/_internal/operations/build/wheel_legacy.py:49:15: UP032 [*] Use f-string instead of `format` call

indico/indico (error)

ruff failed
  Cause: Rule `S410` was removed and cannot be selected.

Changes by rule (5 rules affected)

code	total	+ violation	- violation	+ fix	- fix
I001	9	9	0	0	0
F401	8	8	0	0	0
PLR2004	4	4	0	0	0
E741	3	3	0	0	0
UP032	2	2	0	0	0

Linter (preview)

ℹ️ ecosystem check detected linter changes. (+45 -3 violations, +0 -0 fixes in 4 projects; 1 project error; 38 projects unchanged)

apache/airflow (+0 -1 violations, +0 -0 fixes)

ruff check --no-cache --exit-zero --ignore RUF9 --output-format concise --preview --select ALL

- airflow/providers/amazon/aws/hooks/base_aws.py:338:14: S410 `lxml` is vulnerable to XML attacks

aws/aws-sam-cli (+41 -0 violations, +0 -0 fixes)

ruff check --no-cache --exit-zero --ignore RUF9 --output-format concise --preview

+ samcli/commands/build/build_context.py:53:1: PLR0904 Too many public methods (26 > 20)
+ samcli/commands/build/build_context.py:54:9: PLR0917 Too many positional arguments (26/5)
+ samcli/commands/build/build_context.py:581:46: E741 Ambiguous variable name: `l`
+ samcli/commands/build/build_context.py:5:1: I001 [*] Import block is un-sorted or un-formatted
+ samcli/commands/build/build_context.py:610:21: E741 Ambiguous variable name: `l`
+ samcli/commands/build/build_context.py:642:46: E741 Ambiguous variable name: `l`
+ samcli/commands/build/command.py:139:5: PLR0917 Too many positional arguments (25/5)
+ samcli/commands/build/command.py:200:5: PLR0917 Too many positional arguments (22/5)
+ samcli/commands/build/command.py:228:5: PLC0415 `import` should be at the top-level of a file
+ samcli/commands/build/command.py:25:5: F401 [*] `samcli.commands._utils.options.terraform_plan_file_option` imported but unused
+ samcli/commands/build/command.py:5:1: I001 [*] Import block is un-sorted or un-formatted
+ samcli/commands/build/core/options.py:5:1: I001 [*] Import block is un-sorted or un-formatted
+ samcli/lib/build/app_builder.py:1003:28: PLR2004 Magic value used in comparison, consider replacing `-32601` with a constant variable
+ samcli/lib/build/app_builder.py:458:9: PLR0917 Too many positional arguments (10/5)
+ samcli/lib/build/app_builder.py:45:44: F401 [*] `samcli.local.docker.exceptions.ContainerNotStartableException` imported but unused
+ samcli/lib/build/app_builder.py:593:9: PLR0917 Too many positional arguments (11/5)
+ samcli/lib/build/app_builder.py:5:1: I001 [*] Import block is un-sorted or un-formatted
+ samcli/lib/build/app_builder.py:732:9: PLR0917 Too many positional arguments (8/5)
... 7 additional changes omitted for rule PLR0917
+ samcli/lib/build/app_builder.py:991:16: PLR2004 Magic value used in comparison, consider replacing `400` with a constant variable
+ samcli/lib/build/app_builder.py:991:34: PLR2004 Magic value used in comparison, consider replacing `500` with a constant variable
+ samcli/lib/build/app_builder.py:995:28: PLR2004 Magic value used in comparison, consider replacing `505` with a constant variable
+ samcli/lib/build/build_graph.py:379:13: PLW1514 `open` in text mode without explicit `encoding` argument
+ samcli/lib/build/build_graph.py:471:13: PLW1514 `open` in text mode without explicit `encoding` argument
+ samcli/lib/build/build_graph.py:515:7: PLW1641 Object does not implement `__hash__` method
+ samcli/lib/build/build_graph.py:579:7: PLW1641 Object does not implement `__hash__` method
+ samcli/lib/build/build_graph.py:5:1: I001 [*] Import block is un-sorted or un-formatted
+ samcli/lib/build/build_strategy.py:30:51: F401 [*] `samcli.lib.utils.architecture.ARM64` imported but unused
+ samcli/lib/build/build_strategy.py:5:1: I001 [*] Import block is un-sorted or un-formatted
... 4 additional changes omitted for rule I001
+ samcli/lib/build/bundler.py:10:50: F401 [*] `samcli.commands.local.lib.exceptions.InvalidHandlerPathError` imported but unused
+ samcli/lib/build/bundler.py:7:27: F401 [*] `pathlib.PosixPath` imported but unused
+ samcli/lib/build/utils.py:17:28: PLR6201 Use a `set` literal when testing for membership
+ samcli/lib/build/workflow_config.py:7:42: F401 [*] `typing.Tuple` imported but unused
... 1 additional changes omitted for rule F401

pypa/pip (+4 -0 violations, +0 -0 fixes)

ruff check --no-cache --exit-zero --ignore RUF9 --output-format concise --preview

+ src/pip/_internal/operations/build/build_tracker.py:6:47: F401 [*] `typing.Set` imported but unused
+ src/pip/_internal/operations/build/build_tracker.py:8:39: F401 [*] `pip._internal.models.link.Link` imported but unused
+ src/pip/_internal/operations/build/wheel_legacy.py:43:15: UP032 [*] Use f-string instead of `format` call
+ src/pip/_internal/operations/build/wheel_legacy.py:49:15: UP032 [*] Use f-string instead of `format` call

zulip/zulip (+0 -2 violations, +0 -0 fixes)

ruff check --no-cache --exit-zero --ignore RUF9 --output-format concise --preview --select ALL

- zerver/migrations/0257_fix_has_link_attribute.py:6:8: S410 `lxml` is vulnerable to XML attacks
- zerver/views/documentation.py:12:6: S410 `lxml` is vulnerable to XML attacks

indico/indico (error)

ruff check --no-cache --exit-zero --ignore RUF9 --output-format concise --preview

ruff failed
  Cause: Rule `S410` was removed and cannot be selected.

Changes by rule (12 rules affected)

code	total	+ violation	- violation	+ fix	- fix
PLR0917	12	12	0	0	0
I001	9	9	0	0	0
F401	8	8	0	0	0
PLR2004	4	4	0	0	0
E741	3	3	0	0	0
S410	3	0	3	0	0
PLW1514	2	2	0	0	0
PLW1641	2	2	0	0	0
UP032	2	2	0	0	0
PLR0904	1	1	0	0	0
PLC0415	1	1	0	0	0
PLR6201	1	1	0	0	0

[T-256]

pypa/pip (+4 -0 violations, +0 -0 fixes)

• src/pip/_internal/operations/build/build_tracker.py:6:47: F401 [*] typing.Set imported but unused
• src/pip/_internal/operations/build/build_tracker.py:8:39: F401 [*] pip._internal.models.link.Link imported but unused
• src/pip/_internal/operations/build/wheel_legacy.py:43:15: UP032 [*] Use f-string instead of format call
• src/pip/_internal/operations/build/wheel_legacy.py:49:15: UP032 [*] Use f-string instead of format call

These are unrelated ecosystem change, I think for preventing them at here, possible solution could be using tag or static revision of git projects instead of dynamic main/master branch.

ruff/python/ruff-ecosystem/ruff_ecosystem/defaults.py

Lines 16 to 21 in 0293908

	Project(repo=Repository(owner="DisnakeDev", name="disnake", ref="master")),
	Project(repo=Repository(owner="PostHog", name="HouseWatch", ref="main")),
	Project(repo=Repository(owner="RasaHQ", name="rasa", ref="main")),
	Project(repo=Repository(owner="Snowflake-Labs", name="snowcli", ref="main")),
	Project(repo=Repository(owner="aiven", name="aiven-client", ref="main")),
	Project(repo=Repository(owner="alteryx", name="featuretools", ref="main")),

Over time you can update the tags manually or by a script runs every month.

[MichaReiser]

I think we shouldn't consider this a breaking change because it is a preview rule. Unfortunately, our versioning policy isn't explicit about if it is or isn't.

[diinngg]

Should S320 also be removed? It looks to be specific to lxml