This is an automated email from the ASF dual-hosted git repository. arm pushed a commit to branch arm in repository https://gitbox.apache.org/repos/asf/tooling-trusted-releases.git
commit f819673beab881f9d41fa71de2c3d3d098db58d1 Author: Alastair McFarlane <[email protected]> AuthorDate: Thu Mar 5 12:31:25 2026 +0000 #763 - Convert to defusedxml --- atr/shared/distribution.py | 7 ++++--- atr/svn/__init__.py | 4 +++- atr/tasks/checks/rat.py | 6 +++--- uv.lock | 2 +- 4 files changed, 11 insertions(+), 8 deletions(-) diff --git a/atr/shared/distribution.py b/atr/shared/distribution.py index 6408f94f..78510c54 100644 --- a/atr/shared/distribution.py +++ b/atr/shared/distribution.py @@ -300,7 +300,8 @@ async def json_from_distribution_platform( async def json_from_maven_xml(api_url: str, version: str) -> outcome.Outcome[basic.JSON]: import datetime - import xml.etree.ElementTree as ET + + import defusedxml.ElementTree as ElementTree try: async with util.create_secure_session() as session: @@ -309,7 +310,7 @@ async def json_from_maven_xml(api_url: str, version: str) -> outcome.Outcome[bas xml_text = await response.text() # Parse the XML - root = ET.fromstring(xml_text) + root = ElementTree.fromstring(xml_text) # Extract versioning info group = root.find("groupId") @@ -357,7 +358,7 @@ async def json_from_maven_xml(api_url: str, version: str) -> outcome.Outcome[bas return outcome.Result(result) except (aiohttp.ClientError, DistributionError) as e: return outcome.Error(e) - except ET.ParseError as e: + except ElementTree.ParseError as e: return outcome.Error(RuntimeError(f"Failed to parse Maven XML: {e}")) diff --git a/atr/svn/__init__.py b/atr/svn/__init__.py index a41a6bc0..4793085c 100644 --- a/atr/svn/__init__.py +++ b/atr/svn/__init__.py @@ -20,6 +20,7 @@ import datetime import pathlib from typing import Final, Self +import defusedxml.ElementTree as ElementTree import pydantic import pydantic_xml @@ -132,7 +133,8 @@ async def get_log(path: pathlib.Path) -> SvnLog: raise ValueError("SVN_TOKEN must be set") # TODO: Or omit username entirely? log_output = await _run_svn_command("log", str(path), "--xml", "--username", _ASF_TOOL, "--password", svn_token) - return SvnLog.from_xml(log_output) + root = ElementTree.fromstring(log_output) + return SvnLog.from_xml_tree(root) async def run_command(cmd: str, *args: str) -> str: diff --git a/atr/tasks/checks/rat.py b/atr/tasks/checks/rat.py index d2e685b3..461e59f9 100644 --- a/atr/tasks/checks/rat.py +++ b/atr/tasks/checks/rat.py @@ -21,9 +21,10 @@ import pathlib import shlex import subprocess import tempfile -import xml.etree.ElementTree as ElementTree from typing import Final +import defusedxml.ElementTree as ElementTree + import atr.archives as archives import atr.config as config import atr.constants as constants @@ -579,7 +580,6 @@ def _synchronous_extract_parse_output(xml_file: str, base_dir: str) -> checkdata def _synchronous_extract_parse_output_core(xml_file: str, base_dir: str) -> checkdata.Rat: """Parse the XML output from Apache RAT.""" tree = ElementTree.parse(xml_file) - root = tree.getroot() total_files = 0 approved_licenses = 0 @@ -590,7 +590,7 @@ def _synchronous_extract_parse_output_core(xml_file: str, base_dir: str) -> chec unknown_license_files: list[checkdata.RatFileEntry] = [] # Process each resource - for resource in root.findall(".//resource"): + for resource in tree.findall(".//resource"): total_files += 1 # Get the name attribute value diff --git a/uv.lock b/uv.lock index bc4814ff..8feb0f87 100644 --- a/uv.lock +++ b/uv.lock @@ -3,7 +3,7 @@ revision = 3 requires-python = "==3.13.*" [options] -exclude-newer = "2026-03-04T16:48:15Z" +exclude-newer = "2026-03-05T12:15:00Z" [[package]] name = "aiofiles" --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
