fix: resolve Snyk CWE-611 (XXE) and CWE-643 (XPath injection) in report scripts

Use defusedxml for XML parsing in both HTML report scripts to fix insecure parser (XXE/DDoS).

Add Scripts/requirements.txt with defusedxml>=0.7.0.

Replace dynamic XPath with a safe lookup (find all UnitTest, match by id in Python) in both scripts to fix XPath injection.

Author: OMpawar-21

Scripts/generate_enhanced_html_report.py

@@ -158,9 +158,9 @@ def parse_trx(self):
                         test_output = stdout_elem.text
                         structured_output = self.parse_structured_output(test_output)
 
-                # Get test category
+                # Get test category (find by id without dynamic XPath to avoid CWE-643)
                 test_def_id = test_result.get('testId', '')
-                test_def = root.find(f".//UnitTest[@id='{test_def_id}']", ns)
+                test_def = next((el for el in root.findall('.//UnitTest', ns) if el.get('id') == test_def_id), None)
                 category = 'General'
                 if test_def is not None:
                     test_method = test_def.find('.//TestMethod', ns)

Scripts/generate_html_report.py

@@ -78,9 +78,9 @@ def parse_trx(self):
                         if stacktrace_elem is not None:
                             error_stacktrace = stacktrace_elem.text
 
-                # Get test category
+                # Get test category (find by id without dynamic XPath to avoid CWE-643)
                 test_def_id = test_result.get('testId', '')
-                test_def = root.find(f".//UnitTest[@id='{test_def_id}']", ns)
+                test_def = next((el for el in root.findall('.//UnitTest', ns) if el.get('id') == test_def_id), None)
                 category = 'General'
                 if test_def is not None:
                     test_method = test_def.find('.//TestMethod', ns)