It doesn't cover everything, but at least the defusedxml.lxml module is deprecated and it has been suggested libxml has been updated enough to no longer need this. Some discussion here: https://github.com/PyCQA/bandit/issues/435 ** Changed in: cinder Status: In Progress => Invalid ** Changed in: cinder Status: Invalid => Won't Fix ** Bug watch added: github.com/PyCQA/bandit/issues #435 https://github.com/PyCQA/bandit/issues/435 -- You received this bug notification because you are a member of OpenStack Security SIG, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1732155 Title: bandit report: use defusedxml to avoid XML attack Status in Cinder: Won't Fix Status in OpenStack Security Advisory: Won't Fix Bug description: According to https://docs.openstack.org/bandit/latest/api/bandit.blacklists.html Using various XLM methods to parse untrusted XML data is known to be vulnerable to XML attacks. Methods should be replaced with their defusedxml equivalents. To manage notifications about this bug go to: https://bugs.launchpad.net/cinder/+bug/1732155/+subscriptions