suspicious-httpoxy-import (S412) has false negatives, as uncovered in #19009. The rule currently only applies to ImportFrom statements, not calls to the insecure code:

from wsgiref.handlers import CGIHandler  # S412
from twisted.web.twcgi import CGIScript  # S412

import wsgiref.handlers
import twisted.web.twcgi

wsgiref.handlers.CGIHandler()  # False negative?
twisted.web.twcgi.CGIScript()  # False negative?

These are caught by the upstream linter:

$ cat <<EOF | uvx --with flake8-bandit flake8 --select S -
from wsgiref.handlers import CGIHandler  # S412
from twisted.web.twcgi import CGIScript  # S412

import wsgiref.handlers
import twisted.web.twcgi

wsgiref.handlers.CGIHandler()  # False negative?
twisted.web.twcgi.CGIScript()  # False negative?
EOF
Unable to find qualified name for module: stdin
stdin:1:1: S412 Consider possible security implications associated with CGIHandler module.
stdin:2:1: S412 Consider possible security implications associated with CGIScript module.
stdin:7:1: S412 Consider possible security implications associated with wsgiref.handlers.CGIHandler module.
stdin:8:1: S412 Consider possible security implications associated with twisted.web.twcgi.CGIScript module.

Possible solutions

A simple solution would just be to flag any import from wsgiref.handlers. Based on the docs, I think everything in that module is related to CGI and could fall under the rule, not just CGIHandler. I think the same is true for twisted.web.twcgi, which seems to be under active development still.

A more complicated solution would be to check for calls like the upstream linter. If we decide to go this route, we may need to assess other flake8-bandit rules for similar issues.

However, after writing this up, I'm pretty strongly leaning toward just flagging any import, which is in line with our other flake8-bandit rules.

cc @MeGaGiGaGon who found the initial problem and helped track down the root of the issue