diff --git a/datumaro/datumaro/plugins/cvat_format/extractor.py b/datumaro/datumaro/plugins/cvat_format/extractor.py
index 407c551d..014aa90f 100644
--- a/datumaro/datumaro/plugins/cvat_format/extractor.py
+++ b/datumaro/datumaro/plugins/cvat_format/extractor.py
@@ -5,7 +5,7 @@
 
 from collections import OrderedDict
 import os.path as osp
-import xml.etree as ET
+from defusedxml import ElementTree
 
 from datumaro.components.extractor import (SourceExtractor,
     DEFAULT_SUBSET_NAME, DatasetItem,
@@ -64,7 +64,7 @@ class CvatExtractor(SourceExtractor):
 
     @classmethod
     def _parse(cls, path):
-        context = ET.ElementTree.iterparse(path, events=("start", "end"))
+        context = ElementTree.iterparse(path, events=("start", "end"))
         context = iter(context)
 
         categories, frame_size = cls._parse_meta(context)
diff --git a/datumaro/datumaro/plugins/openvino_launcher.py b/datumaro/datumaro/plugins/openvino_launcher.py
index b0e8360d..10f12fea 100644
--- a/datumaro/datumaro/plugins/openvino_launcher.py
+++ b/datumaro/datumaro/plugins/openvino_launcher.py
@@ -48,9 +48,12 @@ class OpenVinoLauncher(Launcher):
     @staticmethod
     def _check_instruction_set(instruction):
         return instruction == str.strip(
+            # Let's ignore a warning from bandit about using shell=True.
+            # In this case it isn't a security issue and we use some
+            # shell features like pipes.
             subprocess.check_output(
-                'lscpu | grep -o "{}" | head -1'.format(instruction), shell=True
-            ).decode('utf-8')
+                'lscpu | grep -o "{}" | head -1'.format(instruction),
+                shell=True).decode('utf-8') # nosec
         )
 
     @staticmethod
diff --git a/datumaro/datumaro/plugins/voc_format/extractor.py b/datumaro/datumaro/plugins/voc_format/extractor.py
index 8823426e..29aaad6d 100644
--- a/datumaro/datumaro/plugins/voc_format/extractor.py
+++ b/datumaro/datumaro/plugins/voc_format/extractor.py
@@ -7,7 +7,7 @@ from collections import defaultdict
 import logging as log
 import numpy as np
 import os.path as osp
-from xml.etree import ElementTree as ET
+from defusedxml import ElementTree
 
 from datumaro.components.extractor import (SourceExtractor,
     DEFAULT_SUBSET_NAME, DatasetItem,
@@ -121,7 +121,7 @@ class _VocXmlExtractor(_VocExtractor):
             anns = []
             ann_file = osp.join(anno_dir, item_id + '.xml')
             if osp.isfile(ann_file):
-                root_elem = ET.parse(ann_file)
+                root_elem = ElementTree.parse(ann_file)
                 height = root_elem.find('size/height')
                 if height is not None:
                     height = int(height.text)
diff --git a/datumaro/requirements.txt b/datumaro/requirements.txt
index 5d458bd0..c75978fc 100644
--- a/datumaro/requirements.txt
+++ b/datumaro/requirements.txt
@@ -1,4 +1,5 @@
 Cython>=0.27.3 # include before pycocotools
+defusedxml>=0.6.0
 GitPython>=3.0.8
 lxml>=4.4.1
 matplotlib<3.1 # 3.1+ requires python3.6, but we have 3.5 in cvat
diff --git a/datumaro/setup.py b/datumaro/setup.py
index c39f38d2..90c39ce4 100644
--- a/datumaro/setup.py
+++ b/datumaro/setup.py
@@ -48,14 +48,15 @@ setuptools.setup(
     ],
     python_requires='>=3.5',
     install_requires=[
+        'defusedxml',
         'GitPython',
         'lxml',
         'matplotlib',
         'numpy',
         'opencv-python',
         'Pillow',
-        'PyYAML',
         'pycocotools',
+        'PyYAML',
         'scikit-image',
         'tensorboardX',
     ],