B411 error can't be resolved by the suggested change

[kajinamit]

Describe the bug

We recently faced the following bandit error in oslo.serialization project. It seems bandit 1.7.6 contains the commit 3260f13 and now it reject importing xmlrpc.

>> Issue: [B411:blacklist] Using client to parse untrusted XML data is known to be vulnerable to XML attacks. Use defused.xmlrpc.monkey_patch() function to monkey-patch xmlrpclib and mitigate XML vulnerabilities.
   Severity: High   Confidence: High
   CWE: CWE-20 (https://cwe.mitre.org/data/definitions/20.html)
   More Info: https://bandit.readthedocs.io/en/1.7.6/blacklists/blacklist_imports.html#b411-import-xmlrpclib
   Location: oslo_serialization/jsonutils.py:40:0
38	import json
39	import uuid
40	from xmlrpc import client as xmlrpclib
41
42	from oslo_utils import encodeutils

However bandit still detects the error even if we add the monkey_patch as suggested by the message.

Reproduction steps

1. Run bandit with the code

from xmlrpc import client as xmlrpclib

2. ZB411 error is detected
3. Update the code to include the suggested change

import defusedxml.xmlrpc
frm xmlrpc import client as xmlrpclib

defusedxml.xmlrpc.monkey_patch()

4. Run bandit again and it still detects the same error

Expected behavior

The execution at step 4 does not detect the error

Bandit version

1.7.6 (Default)

Python version

3.11

Additional context

No response