SONARPY-2993: S6437: Fix False Positive when an F-string is used and contains a formatted expression (#716)

joke1196 · sonartech · commit acfabc1adb6c · 2025-12-18T15:45:54.000Z
GitOrigin-RevId: 3fbfcbd700893f4c73e9242f58474d8f49802bd1
diff --git a/python-checks/src/main/java/org/sonar/python/checks/HardcodedCredentialsCallCheck.java b/python-checks/src/main/java/org/sonar/python/checks/HardcodedCredentialsCallCheck.java
@@ -89,12 +89,14 @@ private static void checkArgument(SubscriptionContext ctx, RegularArgument argum
       Optional.of(argExp)
         .filter(StringLiteral.class::isInstance)
         .map(StringLiteral.class::cast)
+        .filter(Predicate.not(HardcodedCredentialsCallCheck::containsFormattedExpressions))
         .filter(HardcodedCredentialsCallCheck::isNotEmpty)
         .ifPresent(string -> ctx.addIssue(argument, MESSAGE));
     } else if (argExp.is(Tree.Kind.NAME)) {
       findAssignment((Name) argExp, 0)
         .filter(StringLiteral.class::isInstance)
         .map(StringLiteral.class::cast)
+        .filter(Predicate.not(HardcodedCredentialsCallCheck::containsFormattedExpressions))
         .filter(HardcodedCredentialsCallCheck::isNotEmpty)
         .ifPresent(assignedValue -> ctx.addIssue(argument, MESSAGE).secondary(assignedValue, MESSAGE));
     }
@@ -104,7 +106,12 @@ private static boolean isNotEmpty(StringLiteral stringLiteral) {
     return Optional.of(stringLiteral)
       .map(StringLiteral::trimmedQuotesValue)
       .filter(Predicate.not(String::isEmpty))
-      .isPresent();
+      .isPresent(); 
+  }
+
+  private static boolean containsFormattedExpressions(StringLiteral stringLiteral) {
+    return stringLiteral.stringElements().stream()
+      .anyMatch(element -> !element.formattedExpressions().isEmpty());
   }
 
   private static Optional<Tree> findAssignment(Name name, int depth) {
diff --git a/python-checks/src/test/resources/checks/hardcodedCredentialsCall.py b/python-checks/src/test/resources/checks/hardcodedCredentialsCall.py
@@ -112,14 +112,17 @@ def ldap_methods_check(p):
 import pgdb
 import pg
 
-def db_connect(pwd):
+def db_connect(pwd, PASS):
     mysql.connector.connect(host='localhost', user='sonarsource', password='')
     mysql.connector.connect(host='localhost', password='', user='sonarsource')
     mysql.connector.connect('localhost', 'sonarsource', '')
 
     mysql.connector.connection.MySQLConnection(host='localhost', user='sonarsource', password='')
     pymysql.connect(host='localhost', user='sonarsource', password='')
     pymysql.connections.Connection(host='localhost', user='sonarsource', password='abc') # Noncompliant
+    pymysql.connections.Connection(host='localhost', user='sonarsource', password=f'{PASS}') # Compliant
+    pymysql.connections.Connection(host='localhost', user='sonarsource', password=f'') # Compliant
+    pymysql.connections.Connection(host='localhost', user='sonarsource', password=f'pass') # Noncompliant
     psycopg2.connect(host='localhost', user='postgres', password='')
     pgdb.connect(host='localhost', user='postgres', password='')
 
