[flake8-bandit] Check S105 for annotated assignment (#15059)

tarasmatsyk · web-flow · commit 85e71ba91ae5 · 2024-12-19T12:26:40.000Z
## Summary A follow up PR on #14991 Ruff ignores hardcoded passwords for typed variables. Add a rule to catch passwords in typed code bases ## Test Plan Includes 2 more test typed variables
diff --git a/crates/ruff_linter/resources/test/fixtures/flake8_bandit/S105.py b/crates/ruff_linter/resources/test/fixtures/flake8_bandit/S105.py
@@ -21,6 +21,8 @@
 password = safe = "s3cr3t"
 PASSWORD = "s3cr3t"
 PassWord = "s3cr3t"
+password: str = "s3cr3t"
+password: Final = "s3cr3t"
 
 d["password"] = "s3cr3t"
 d["pass"] = "s3cr3t"
diff --git a/crates/ruff_linter/src/checkers/ast/analyze/statement.rs b/crates/ruff_linter/src/checkers/ast/analyze/statement.rs
@@ -1658,6 +1658,15 @@ pub(crate) fn statement(stmt: &Stmt, checker: &mut Checker) {
             if checker.enabled(Rule::NonPEP695TypeAlias) {
                 pyupgrade::rules::non_pep695_type_alias(checker, assign_stmt);
             }
+            if checker.enabled(Rule::HardcodedPasswordString) {
+                if let Some(value) = value.as_deref() {
+                    flake8_bandit::rules::assign_hardcoded_password_string(
+                        checker,
+                        value,
+                        std::slice::from_ref(target),
+                    );
+                }
+            }
             if checker.settings.rules.enabled(Rule::UnsortedDunderAll) {
                 ruff::rules::sort_dunder_all_ann_assign(checker, assign_stmt);
             }
diff --git a/crates/ruff_linter/src/rules/flake8_bandit/snapshots/ruff_linter__rules__flake8_bandit__tests__S105_S105.py.snap b/crates/ruff_linter/src/rules/flake8_bandit/snapshots/ruff_linter__rules__flake8_bandit__tests__S105_S105.py.snap
