remove defusedxml in favor of lxml (#9840)

manuel-sommer · web-flow · commit 19bab5914a35 · 2024-07-29T16:42:10.000-05:00
* update to docs

* fix
diff --git a/docs/content/en/contributing/how-to-write-a-parser.md b/docs/content/en/contributing/how-to-write-a-parser.md
@@ -142,6 +142,12 @@ Very bad example:
     finding.unsaved_endpoints = [endpoint]
 ```
 
+### Use the right libraries to parse information
+Various file formats are handled through libraries. In order to keep DefectDojo slim and also don't extend the attack surface, keep the number of libraries used minimal and take other parsers as an example.
+
+#### defusedXML in favour of lxml
+As xml is by default an unsecure format, the information parsed from various xml output has to be parsed in a secure way. Within an evaluation, we determined that defusedXML is the library which we will use in the future to parse xml files in parsers as this library is rated more secure. Thus, we will only accept PRs with the defusedxml library. 
+
 ### Not all attributes are mandatory
 
 Parsers may have many fields, out of which many of them may be optional.
