f-strings marked with a `# nosec BXXX` show an incorrect warning about no failed tests appears

[Cabalist]

Describe the bug

When running bandit against code using f-strings that are marked with # nosec BXXX a warning appears when there should not be one. This happens for both single-line and multi-line f-strings. The behaviour is not present when using blanket nosec or when using template strings.

Works:

table = "my_table"
query = f"SELECT * FROM {table} WHERE True"  # nosec

table = "my_table"
query = (f"SELECT * "
         f"FROM {table} "  # nosec
         f"WHERE True")

table = "my_table"
query = ("SELECT * "
         "FROM {} "  # nosec B608
         "WHERE True".format(table)
         )

Incorrect Warning:

[tester] WARNING nosec encountered (B608), but no failed test on line 3

table = "my_table"
query = (f"SELECT * "
         f"FROM {table} "  # nosec B608
         f"WHERE True")

[tester] WARNING nosec encountered (B608), but no failed test on line 2

table = "my_table"
query = f"SELECT * FROM {table} WHERE True"  # nosec B608

Reproduction steps

1.  Create a file foo.py with the following code:

table = "my_table"
query = f"SELECT * FROM {table} WHERE True"  # nosec B608

2. Run `bandit foo.py`
3. Notice that in the run info there is a warning:
   `[tester]        WARNING nosec encountered (B608), but no failed test on line 2`

Expected behavior

No warning appears when the a nosec correctly applies to a failed test.

Bandit version

1.7.10 (Default)

Python version

3.12

Additional context

This seems related to #942, #1003, #1041 and #1092

While playing around I applied the patch from #1004 but that did not resolve this issue.

[DrCuriosity]

I'm getting a similar problem. With the following line:

raw_sql = f'UPDATE "{table_name}" SET "{column_name}" = :new_value WHERE "{column_name}" = :old_value'

I get a B608 result as-is. If I add # nosec B608 then I get three warnings:

[tester] WARNING nosec encountered (B608), but no failed test on line nnn
[tester] WARNING nosec encountered (B608), but no failed test on line nnn
[tester] WARNING nosec encountered (B608), but no failed test on line nnn

So I seem to be getting one warning for each interpolation in the f-string.

If instead I add # nosec with no specificity, the warnings go away.

Versions

I'm using Python 3.12.3 on Ubuntu Linux.

Initially found on: bandit==1.8.6
Confirming as above issue description, also seeing warning on: bandit==1.7.10
Last version where warning is not present: bandit==1.7.2

So I guess something came in at 1.7.3 that is giving these spurious warnings?

[hgsanya]

On version 1.8.6 it works if I add #nosec after the closing """

query = (
      f"""
      SELECT * FROM table WHERE id IN ({placeholders})
      """  # nosec B608
  )