False-Positive STR100 inspection on local scope string in class method?

[martinpakosch]

Hi,

today I updated to PyCharm 2020.2.2 with the latest compatible Python-Security plugin. Noticed a new inspection error I did not get with PyCharm 2020.1.3 and the corresponding plugin version (no idea which one).

However, I understand the background of this STR100 inspection. But in my case (see example) I assume it is a false-positive error. It shows up on the template.format() call where template is a local scope variable inside the class method. Maybe I do not understand the vulnerability completely, but how can this (constant) format string template be a risk/manipulated from outside?

Do I get something wrong with the vulnerability? Or is the inspection just unable to differentiate between scopes/variable context/definition (would be fine to know)? Or is it a bug?

class anything(object):
    # ...
    def report(self):
        template = "{C}{left:37}{N}  {EQ}  {C}{right:37}{N}"  # Using max. 80 chars.
        if False in self.equal.values():
            for key in self.datakeys:
                self.print(
                    template.format(
                        left=self.left.get(key, 'Unknown'),
                        right=self.right.get(key, 'Unknown'),
                        EQ='>>' if not self.equal.get(key) else '==',
                        C=fg.BLUE if not self.equal.get(key) else '',
                        N=fg.NONE if not self.equal.get(key) else '',
                    )
                ) 

Kind regards, Martin

[liiight]

This occurs for any .format() it sees. I encounter the same issue with pendulum.DateTime.format as well.