SONARPY-3985 Fix S3457 false positive for f-strings in marimo SQL cells (#1043)

sonar-nigel[bot] · Vibe Bot · Seppli11 · sonartech · commit cc5343658b23 · 2026-04-09T14:31:14.000Z
Co-authored-by: Vibe Bot &lt;vibe-bot@sonarsource.com&gt;
Co-authored-by: Sebastian Zumbrunn &lt;sebastian.zumbrunn@sonarsource.com&gt;
GitOrigin-RevId: 0f0c179885f2f4b46af00c1ae9b8afcffebdff17
diff --git a/python-checks/src/main/java/org/sonar/python/checks/StringFormatCorrectnessCheck.java b/python-checks/src/main/java/org/sonar/python/checks/StringFormatCorrectnessCheck.java
@@ -26,6 +26,9 @@
 import org.sonar.check.Rule;
 import org.sonar.plugins.python.api.SubscriptionContext;
 import org.sonar.plugins.python.api.symbols.Symbol;
+import org.sonar.plugins.python.api.types.v2.matchers.TypeMatcher;
+import org.sonar.plugins.python.api.types.v2.matchers.TypeMatchers;
+import org.sonar.plugins.python.api.tree.ArgList;
 import org.sonar.plugins.python.api.tree.BinaryExpression;
 import org.sonar.plugins.python.api.tree.CallExpression;
 import org.sonar.plugins.python.api.tree.DictionaryLiteral;
@@ -44,6 +47,8 @@
 @Rule(key = "S3457")
 public class StringFormatCorrectnessCheck extends AbstractStringFormatCheck {
 
+  private static final TypeMatcher MARIMO_SQL_MATCHER = TypeMatchers.isType("marimo.sql");
+
   private static final Set<String> LOGGER_FULL_NAMES = new HashSet<>(Arrays.asList(
     "logging.debug", "logging.info", "logging.warning", "logging.error", "logging.critical",
     "logging.Logger.debug", "logging.Logger.info", "logging.Logger.warning", "logging.Logger.error", "logging.Logger.critical"
@@ -114,11 +119,28 @@ private static void checkFStringLiteral(SubscriptionContext ctx) {
       .filter(stringElement -> stringElement.prefix().toLowerCase(Locale.ENGLISH).contains("f"))
       .toList();
 
-    if (!fStrings.isEmpty() && fStrings.stream().allMatch(str -> str.formattedExpressions().isEmpty())) {
+    if (!fStrings.isEmpty() && fStrings.stream().allMatch(str -> str.formattedExpressions().isEmpty())
+        && !isMarimoSqlArgument(literal, ctx)) {
       ctx.addIssue(literal, "Add replacement fields or use a normal string instead of an f-string.");
     }
   }
 
+  private static boolean isMarimoSqlArgument(StringLiteral literal, SubscriptionContext ctx) {
+    Tree parent = literal.parent();
+    if (!(parent instanceof RegularArgument)) {
+      return false;
+    }
+    Tree argList = parent.parent();
+    if (!(argList instanceof ArgList)) {
+      return false;
+    }
+    Tree callParent = argList.parent();
+    if (!(callParent instanceof CallExpression callExpression)) {
+      return false;
+    }
+    return MARIMO_SQL_MATCHER.isTrueFor(callExpression.callee(), ctx);
+  }
+
   private static void checkLoggerLog(SubscriptionContext ctx, CallExpression callExpression) {
     if (callExpression.arguments().isEmpty() || callExpression.arguments().stream().anyMatch(argument -> !argument.is(Tree.Kind.REGULAR_ARGUMENT))) {
       return;
diff --git a/python-checks/src/test/resources/checks/stringFormatCorrectness.py b/python-checks/src/test/resources/checks/stringFormatCorrectness.py
@@ -119,3 +119,26 @@ def edge_case():
     no_such_function('hello')
     l4 = no_such_function('')
     l4.error("Foo %s", "Bar", "too many")
+
+
+import marimo as mo
+
+def marimo_sql():
+    mo.sql(f"SELECT * FROM table")
+    mo.sql(
+        f"""
+        SELECT plugin_rule_key, COUNT(*) as cnt
+        FROM issues
+        GROUP BY plugin_rule_key
+        """
+    )
+    engine = None
+    mo.sql(
+        f"""
+        SELECT id, name
+        FROM users
+        WHERE active = 1
+        """,
+        engine=engine
+    )
+
diff --git a/python-frontend/src/main/resources/org/sonar/python/types/custom_protobuf/marimo.protobuf b/python-frontend/src/main/resources/org/sonar/python/types/custom_protobuf/marimo.protobuf
@@ -31,6 +31,13 @@ marimo.App*
 args
 Any*
 kwargs
+AnyX
+sql
+marimo.sql"
+Any*'
+query
+builtins.str"builtins.str*
+kwargs
 Any*g
 __path__marimo.__path__J
 builtins.list[builtins.str]
diff --git a/python-frontend/typeshed_serializer/checksums/custom.checksum b/python-frontend/typeshed_serializer/checksums/custom.checksum
@@ -1,2 +1,2 @@
-669032ff87c6a7027931d1987597a4371fc80b9da0f7817762518ec75d1fa357
-8a2fb0e2abba9b8e562913a29440ec31c7fd322f0c31d2d64d9a6c9591b444ed
+4ed5a5d152958ba1e643059b3f9957815405f44596c64d268aa525aab7c74b5e
+4394f7b9850885f1aab48413ba65f330a2c5c83a626202c0075d44b217f37643
diff --git a/python-frontend/typeshed_serializer/resources/custom/marimo/__init__.pyi b/python-frontend/typeshed_serializer/resources/custom/marimo/__init__.pyi
@@ -5,3 +5,5 @@ class App(CustomStubBase):
     def __init__(self, *args: Any, **kwargs: Any) -> None: ...
     def cell(self, *args: Any, **kwargs: Any) -> Any: ...
     def function(self, *args: Any, **kwargs: Any) -> Any: ...
+
+def sql(query: str, **kwargs: Any) -> Any: ...

-Original file line number
+Diff line change
 args
 Any*
 kwargs
 +AnyX
 +sql
 +marimo.sql"
 +Any*'
 +query
 +builtins.str"builtins.str*
 +kwargs
 Any*g
 __path__marimo.__path__J
 builtins.list[builtins.str]