False positive / regression: [B314:blacklist] Using xml.etree.ElementTree.fromstring to parse untrusted XML - while defusedxml is used

[Lucas-C]

Describe the bug

Since the latest 1.7.5 release, code that used to not raise warnings is now detected as invalid by bandit

Reproduction steps

1. Put the following code in a file named bandit_bug.py

   
   try:
   from defusedxml.ElementTree import fromstring
   except ImportError:
   from xml.etree.ElementTree import fromstring  # nosec

print(fromstring(""))

2. Call `bandit bandit_bug.py`
With `bandit 1.7.5` you will get the following output:

Issue: [B314:blacklist] Using xml.etree.ElementTree.fromstring to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.etree.ElementTree.fromstring with its defusedxml equivalent function or make sure defusedxml.defuse_stdlib() is called Severity: Medium Confidence: High CWE: CWE-20 (https://cwe.mitre.org/data/definitions/20.html) More Info: https://bandit.readthedocs.io/en/1.7.5/blacklists/blacklist_calls.html#b313-b320-xml-bad-elementtree Location: bandit_bug.py:7:6

Expected behavior

With bandit==1.7.4 no error was raised, and I was expecting this behaviour to stay consistent with new bandit releases

Bandit version

1.7.5 (Default)

Python version

3.8

Additional context

Tested with Python 3.8 & Python 3.10

This is not urgent matter for me, I simply disabled this check locally for now: https://github.com/PyFPDF/fpdf2/pull/718/files#diff-ff268f4fc21f36f22d234ae39a8335470764ff490e1fbd27440d4695c1de0864