Fix issues reported by bandit
This patch fixes these issues:
* B104:hardcoded_bind_all_interfaces: ignore this issue from bandit
command line.
* B320:blacklist: use defusedxml.ElementTree.fromstring instead of
lxml.etree.fromstring.
* B506:yaml_load: use yaml.safe_load instead.
* B608:hardcoded_sql_expressions: fixed in a migration.
Signed-off-by: Chenxiong Qi <cqi@redhat.com>