Skip to content

fix: resolve Codacy issues across XML parsing, imports, and security#103

Merged
JE-Chen merged 3 commits intomainfrom
dev
Apr 25, 2026
Merged

fix: resolve Codacy issues across XML parsing, imports, and security#103
JE-Chen merged 3 commits intomainfrom
dev

Conversation

@JE-Chen
Copy link
Copy Markdown
Member

@JE-Chen JE-Chen commented Apr 25, 2026

Summary

  • Switch all XML parsing in production code to defusedxml (xml_file, generate_xml_report); annotate stdlib imports kept for typing/construction with # nosec and # nosemgrep.
  • Add defusedxml>=0.7.1 runtime dependency.
  • Harden PackageManager.load_package_if_available with a strict regex whitelist before importlib.import_module to address Semgrep non-literal-import.
  • Remove unused imports (queue, os, json, Union, TestRecord); preserve request_hook side-effect import with # noqa: F401.
  • Rename Sphinx copyright to project_copyright to stop shadowing the builtin.
  • Configure Bandit ([tool.bandit] in pyproject.toml) and Codacy (.codacy.yaml) so B101 is skipped in test/** (pytest-asserts are intentional).

Clears all 140 issues currently reported by the Codacy API:

  • 111× Bandit B101 (assert in tests)
  • 14× XML-parser warnings (B314/B318/B405/B408 + Semgrep use-defused-xml)
  • 7× Pyflakes unused-import
  • 1× non-literal-import
  • 1× redefined-builtin (copyright)

Test plan

  • pytest test/ — 84 passed
  • Smoke-test reformat_xml_file, XMLParser, dict_to_elements_tree after the defusedxml swap
  • Codacy re-scan on the PR shows 0 issues

@JE-Chen
fix: resolve Codacy issues across XML, imports, and security checks
3225121 
- Switch XML parsing to defusedxml in xml_file, generate_xml_report,
  and writers to address Bandit B314/B318/B405/B408 and Semgrep
  use-defused-xml warnings; mark stdlib imports kept for typing or
  construction with nosec/nosemgrep.
- Add defusedxml runtime dependency in pyproject.toml.
- Validate package names with a strict regex before importlib.import_module
  in PackageManager to address Semgrep non-literal-import.
- Drop unused imports (queue, os, json, Union, TestRecord) and tag
  side-effect request_hook import with noqa: F401.
- Rename Sphinx conf copyright to project_copyright to stop builtin shadow.
- Configure Bandit (pyproject.toml) and Codacy (.codacy.yaml) to skip
  B101 in test files.
@codacy-production
Copy link
Copy Markdown

codacy-production Bot commented Apr 25, 2026
edited
Loading

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

🟢 Metrics 0 complexity · 0 duplication

Metric Results
Complexity 0
Duplication 0

View in Codacy

NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.

JE-Chen added 2 commits April 25, 2026 14:09
@JE-Chen
ci: add defusedxml to requirements files
96798bc 
CI installs deps from requirements.txt / dev_requirements.txt against the
published package, so the new pyproject.toml dependency does not reach
the runner until release. Add defusedxml directly so test collection
imports succeed.
@JE-Chen
chore: bump PySide6 to 6.11.0
10fefc5 
Also align dev.toml setuptools floor with pyproject.toml.
@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud Bot commented Apr 25, 2026

Quality Gate Passed Quality Gate passed

Issues
2 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@JE-Chen JE-Chen merged commit 89c9de6 into main Apr 25, 2026
14 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@JE-Chen