Sorted requirements, added a comment, removed nosec for exec.

datumaro/datumaro/plugins/openvino_launcher.py

@@ -23,7 +23,7 @@ def __init__(self, path):
             script = f.read()
 
         context = {}
-        exec(script, context, context) # nosec
+        exec(script, context, context)
 
         process_outputs = context['process_outputs']
         assert callable(process_outputs)
@@ -48,6 +48,9 @@ class OpenVinoLauncher(Launcher):
     @staticmethod
     def _check_instruction_set(instruction):
         return instruction == str.strip(
+            # Let's ignore a warning from bandit about using shell=True.
+            # In this case it isn't a security issue and we use some
+            # shell features like pipes.
             subprocess.check_output(
                 'lscpu | grep -o "{}" | head -1'.format(instruction),
                 shell=True).decode('utf-8') # nosec

datumaro/requirements.txt

@@ -1,4 +1,5 @@
 Cython>=0.27.3 # include before pycocotools
+defusedxml>=0.6.0
 GitPython>=3.0.8
 lxml>=4.4.1
 matplotlib<3.1 # 3.1+ requires python3.6, but we have 3.5 in cvat
@@ -8,4 +9,3 @@ pycocotools>=2.0.0
 PyYAML>=5.1.1
 scikit-image>=0.15.0
 tensorboardX>=1.8
-defusedxml>=0.6.0

datumaro/setup.py

@@ -48,17 +48,17 @@ def find_version(file_path=None):
     ],
     python_requires='>=3.5',
     install_requires=[
+        'defusedxml',
         'GitPython',
         'lxml',
         'matplotlib',
         'numpy',
         'opencv-python',
         'Pillow',
-        'PyYAML',
         'pycocotools',
+        'PyYAML',
         'scikit-image',
         'tensorboardX',
-        'defusedxml',
     ],
     extras_require={
         'tf': ['tensorflow'],