flake8-bandit: skip S408/S409 inside TYPE_CHECKING blocks

gcomneno · gcomneno · commit 5ba556b7a9e8 · 2026-02-20T10:10:33.000+01:00
diff --git a/crates/ruff_linter/resources/test/fixtures/flake8_bandit/S408_type_checking.py b/crates/ruff_linter/resources/test/fixtures/flake8_bandit/S408_type_checking.py
@@ -0,0 +1,4 @@
+from typing import TYPE_CHECKING
+
+if TYPE_CHECKING:
+    from xml.dom.minidom import Element
diff --git a/crates/ruff_linter/src/rules/flake8_bandit/mod.rs b/crates/ruff_linter/src/rules/flake8_bandit/mod.rs
@@ -67,6 +67,7 @@ mod tests {
     #[test_case(Rule::SuspiciousXmlExpatImport, Path::new("S407.pyi"))]
     #[test_case(Rule::SuspiciousXmlMinidomImport, Path::new("S408.py"))]
     #[test_case(Rule::SuspiciousXmlMinidomImport, Path::new("S408.pyi"))]
+    #[test_case(Rule::SuspiciousXmlMinidomImport, Path::new("S408_type_checking.py"))]
     #[test_case(Rule::SuspiciousXmlPulldomImport, Path::new("S409.py"))]
     #[test_case(Rule::SuspiciousXmlPulldomImport, Path::new("S409.pyi"))]
     #[test_case(Rule::SuspiciousLxmlImport, Path::new("S410.py"))]
diff --git a/crates/ruff_linter/src/rules/flake8_bandit/rules/suspicious_imports.rs b/crates/ruff_linter/src/rules/flake8_bandit/rules/suspicious_imports.rs
@@ -370,6 +370,9 @@ pub(crate) fn suspicious_imports(checker: &Checker, stmt: &Stmt) {
         return;
     }
 
+    // Imports inside `if TYPE_CHECKING:` are not executed at runtime.
+    let is_type_checking_block = checker.semantic().in_type_checking_block();
+
     match stmt {
         Stmt::Import(ast::StmtImport { names, .. }) => {
             for name in names {
@@ -397,10 +400,16 @@ pub(crate) fn suspicious_imports(checker: &Checker, stmt: &Stmt) {
                         checker.report_diagnostic_if_enabled(SuspiciousXmlExpatImport, name.range);
                     }
                     "xml.dom.minidom" => {
+                        if is_type_checking_block {
+                            continue;
+                        }
                         checker
                             .report_diagnostic_if_enabled(SuspiciousXmlMinidomImport, name.range);
                     }
                     "xml.dom.pulldom" => {
+                        if is_type_checking_block {
+                            continue;
+                        }
                         checker
                             .report_diagnostic_if_enabled(SuspiciousXmlPulldomImport, name.range);
                     }
@@ -482,12 +491,18 @@ pub(crate) fn suspicious_imports(checker: &Checker, stmt: &Stmt) {
                                 );
                             }
                             "minidom" => {
+                                if is_type_checking_block {
+                                    continue;
+                                }
                                 checker.report_diagnostic_if_enabled(
                                     SuspiciousXmlMinidomImport,
                                     identifier.range(),
                                 );
                             }
                             "pulldom" => {
+                                if is_type_checking_block {
+                                    continue;
+                                }
                                 checker.report_diagnostic_if_enabled(
                                     SuspiciousXmlPulldomImport,
                                     identifier.range(),
@@ -502,12 +517,18 @@ pub(crate) fn suspicious_imports(checker: &Checker, stmt: &Stmt) {
                         .report_diagnostic_if_enabled(SuspiciousXmlExpatImport, identifier.range());
                 }
                 "xml.dom.minidom" => {
+                    if is_type_checking_block {
+                        return;
+                    }
                     checker.report_diagnostic_if_enabled(
                         SuspiciousXmlMinidomImport,
                         identifier.range(),
                     );
                 }
                 "xml.dom.pulldom" => {
+                    if is_type_checking_block {
+                        return;
+                    }
                     checker.report_diagnostic_if_enabled(
                         SuspiciousXmlPulldomImport,
                         identifier.range(),
diff --git a/crates/ruff_linter/src/rules/flake8_bandit/snapshots/ruff_linter__rules__flake8_bandit__tests__S408_S408_type_checking.py.snap b/crates/ruff_linter/src/rules/flake8_bandit/snapshots/ruff_linter__rules__flake8_bandit__tests__S408_S408_type_checking.py.snap
@@ -0,0 +1,5 @@
+---
+source: crates/ruff_linter/src/rules/flake8_bandit/mod.rs
+assertion_line: 98
+---
+

-Original file line number
+Diff line change
@@ @@ -0,0 +1,5 @@ @@
 +---
 +source: crates/ruff_linter/src/rules/flake8_bandit/mod.rs
 +assertion_line: 98
 +---
++