This is an automated email from the ASF dual-hosted git repository.
arm pushed a commit to branch arm
in repository https://gitbox.apache.org/repos/asf/tooling-trusted-releases.git
The following commit(s) were added to refs/heads/arm by this push:
new 89ceac6c #763 - Convert to defusedxml
89ceac6c is described below
commit 89ceac6c53998c0c6e96487bd6930c9658f1d8aa
Author: Alastair McFarlane <[email protected]>
AuthorDate: Thu Mar 5 12:31:25 2026 +0000
#763 - Convert to defusedxml
---
atr/shared/distribution.py | 7 ++++---
atr/svn/__init__.py | 4 +++-
atr/tasks/checks/rat.py | 6 +++---
uv.lock | 2 +-
4 files changed, 11 insertions(+), 8 deletions(-)
diff --git a/atr/shared/distribution.py b/atr/shared/distribution.py
index 6408f94f..78510c54 100644
--- a/atr/shared/distribution.py
+++ b/atr/shared/distribution.py
@@ -300,7 +300,8 @@ async def json_from_distribution_platform(
async def json_from_maven_xml(api_url: str, version: str) ->
outcome.Outcome[basic.JSON]:
import datetime
- import xml.etree.ElementTree as ET
+
+ import defusedxml.ElementTree as ElementTree
try:
async with util.create_secure_session() as session:
@@ -309,7 +310,7 @@ async def json_from_maven_xml(api_url: str, version: str)
-> outcome.Outcome[bas
xml_text = await response.text()
# Parse the XML
- root = ET.fromstring(xml_text)
+ root = ElementTree.fromstring(xml_text)
# Extract versioning info
group = root.find("groupId")
@@ -357,7 +358,7 @@ async def json_from_maven_xml(api_url: str, version: str)
-> outcome.Outcome[bas
return outcome.Result(result)
except (aiohttp.ClientError, DistributionError) as e:
return outcome.Error(e)
- except ET.ParseError as e:
+ except ElementTree.ParseError as e:
return outcome.Error(RuntimeError(f"Failed to parse Maven XML: {e}"))
diff --git a/atr/svn/__init__.py b/atr/svn/__init__.py
index a41a6bc0..4793085c 100644
--- a/atr/svn/__init__.py
+++ b/atr/svn/__init__.py
@@ -20,6 +20,7 @@ import datetime
import pathlib
from typing import Final, Self
+import defusedxml.ElementTree as ElementTree
import pydantic
import pydantic_xml
@@ -132,7 +133,8 @@ async def get_log(path: pathlib.Path) -> SvnLog:
raise ValueError("SVN_TOKEN must be set")
# TODO: Or omit username entirely?
log_output = await _run_svn_command("log", str(path), "--xml",
"--username", _ASF_TOOL, "--password", svn_token)
- return SvnLog.from_xml(log_output)
+ root = ElementTree.fromstring(log_output)
+ return SvnLog.from_xml_tree(root)
async def run_command(cmd: str, *args: str) -> str:
diff --git a/atr/tasks/checks/rat.py b/atr/tasks/checks/rat.py
index d2e685b3..461e59f9 100644
--- a/atr/tasks/checks/rat.py
+++ b/atr/tasks/checks/rat.py
@@ -21,9 +21,10 @@ import pathlib
import shlex
import subprocess
import tempfile
-import xml.etree.ElementTree as ElementTree
from typing import Final
+import defusedxml.ElementTree as ElementTree
+
import atr.archives as archives
import atr.config as config
import atr.constants as constants
@@ -579,7 +580,6 @@ def _synchronous_extract_parse_output(xml_file: str,
base_dir: str) -> checkdata
def _synchronous_extract_parse_output_core(xml_file: str, base_dir: str) ->
checkdata.Rat:
"""Parse the XML output from Apache RAT."""
tree = ElementTree.parse(xml_file)
- root = tree.getroot()
total_files = 0
approved_licenses = 0
@@ -590,7 +590,7 @@ def _synchronous_extract_parse_output_core(xml_file: str,
base_dir: str) -> chec
unknown_license_files: list[checkdata.RatFileEntry] = []
# Process each resource
- for resource in root.findall(".//resource"):
+ for resource in tree.findall(".//resource"):
total_files += 1
# Get the name attribute value
diff --git a/uv.lock b/uv.lock
index bc4814ff..8feb0f87 100644
--- a/uv.lock
+++ b/uv.lock
@@ -3,7 +3,7 @@ revision = 3
requires-python = "==3.13.*"
[options]
-exclude-newer = "2026-03-04T16:48:15Z"
+exclude-newer = "2026-03-05T12:15:00Z"
[[package]]
name = "aiofiles"
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
