B405 complains about any xml.etree.ElementTree import, not just parse-related ones

[vanschelven]

B405 complains about any xml.etree.ElementTree import, not just parse-related ones

Importing like so

from defusedxml.ElementTree import Element

gives a bandit error (B405).

This error talks about parsing (which is indeed unsafe); but the imported thing is not related to parsing. At the same time, the suggested remedy (defusedxml) exclusively provides alternatives for parsing-related functions, in particular for parse, iterparse, fromstring, and XMLParser. In other words, the suggested solution of doing the following fails:

# Will fail!
from defusedxml.ElementTree import Element