Bump bandit and make oslo.messaging compatible with latest rules

- Move from lxml lib direct usage to defusedxml lib [1] to fix B320 [2]

[1] https://pypi.org/project/defusedxml/0.7.1/
[2] https://bandit.readthedocs.io/en/1.7.5/blacklists/blacklist_calls.html#b313-b320-xml

Change-Id: Id1faa9227415884d15c737ace5a0e0e5de3afa81

oslo_vmware/image_util.py

@@ -13,7 +13,7 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.
 
-from lxml import etree  # nosec (bandit bug 1582516)
+from defusedxml.lxml import parse
 
 
 def _get_vmdk_name_from_ovf(root):
@@ -27,4 +27,4 @@ def _get_vmdk_name_from_ovf(root):
 
 def get_vmdk_name_from_ovf(ovf_handle):
     """Get the vmdk name from the given ovf descriptor."""
-    return _get_vmdk_name_from_ovf(etree.parse(ovf_handle).getroot())
+    return _get_vmdk_name_from_ovf(parse(ovf_handle).getroot())

oslo_vmware/service.py

@@ -102,7 +102,7 @@ class Response(io.BytesIO):
         self.status = status
         self.headers = headers or {}
         self.reason = requests.status_codes._codes.get(
-            status, [''])[0].upper().replace('_', ' ')
+            status, [''])[0].upper().replace('_', ' ')  # nosec
         io.BytesIO.__init__(self, stream)
 
     @property

requirements.txt

@@ -14,6 +14,7 @@ oslo.utils>=3.33.0 # Apache-2.0
 PyYAML>=3.13 # MIT
 
 lxml>=4.5.0 # BSD
+defusedxml>=0.7.1 # BSD
 suds-community>=0.6 # LGPLv3+
 eventlet!=0.18.3,!=0.20.1,>=0.18.2 # MIT
 requests>=2.14.2 # Apache-2.0

test-requirements.txt

@@ -13,7 +13,7 @@ stestr>=2.0.0 # Apache-2.0
 #  [testenv:cover]
 #  deps = {[testenv]deps} coverage
 coverage!=4.4,>=4.0 # Apache-2.0
-bandit>=1.6.0,<1.7.0 # Apache-2.0
+bandit>=1.7.0,<1.8.0 # Apache-2.0
 ddt>=1.0.1 # MIT
 oslo.context>=2.19.2 # Apache-2.0