[flake8-bandit] Allow suspicious imports in TYPE_CHECKING blocks (S401-S415) (#23441)

Fix false positives for S408/S409 when `xml.dom.minidom` or
`xml.dom.pulldom` are imported inside `if TYPE_CHECKING:` blocks.

Imports inside TYPE_CHECKING are not executed at runtime, so they should
not trigger these Bandit-based security rules.

Adds a dedicated fixture and snapshot test for the TYPE_CHECKING case.

Refs #14901

Author: gcomneno

crates/ruff_linter/resources/test/fixtures/flake8_bandit/S408_type_checking.py

@@ -0,0 +1,4 @@
+from typing import TYPE_CHECKING
+
+if TYPE_CHECKING:
+    from xml.dom.minidom import Element

crates/ruff_linter/src/rules/flake8_bandit/mod.rs

@@ -67,6 +67,7 @@ mod tests {
     #[test_case(Rule::SuspiciousXmlExpatImport, Path::new("S407.pyi"))]
     #[test_case(Rule::SuspiciousXmlMinidomImport, Path::new("S408.py"))]
     #[test_case(Rule::SuspiciousXmlMinidomImport, Path::new("S408.pyi"))]
+    #[test_case(Rule::SuspiciousXmlMinidomImport, Path::new("S408_type_checking.py"))]
     #[test_case(Rule::SuspiciousXmlPulldomImport, Path::new("S409.py"))]
     #[test_case(Rule::SuspiciousXmlPulldomImport, Path::new("S409.pyi"))]
     #[test_case(Rule::SuspiciousLxmlImport, Path::new("S410.py"))]

crates/ruff_linter/src/rules/flake8_bandit/rules/suspicious_imports.rs

@@ -370,6 +370,11 @@ pub(crate) fn suspicious_imports(checker: &Checker, stmt: &Stmt) {
         return;
     }
 
+    // Imports inside `if TYPE_CHECKING:` are not executed at runtime.
+    if checker.semantic().in_type_checking_block() {
+        return;
+    }
+
     match stmt {
         Stmt::Import(ast::StmtImport { names, .. }) => {
             for name in names {

crates/ruff_linter/src/rules/flake8_bandit/snapshots/ruff_linter__rules__flake8_bandit__tests__S408_S408_type_checking.py.snap

@@ -0,0 +1,5 @@
+---
+source: crates/ruff_linter/src/rules/flake8_bandit/mod.rs
+assertion_line: 98
+---
+