Hi Mark,
Thanks for sharing code examples. Rule pythonsecurity:S5334 is not designed to raise every time eval is used (apparently it’s the approach Semgrep chose). It only raises an issue when untrusted values are evaluated.
As of today, we don’t consider the return values of input as untrusted and this is why pythonsecurity:S5334 is not raising an issue in your case.
By default, we only consider values from incoming HTTP requests as untrusted. Here is a code example of a flask application where an issue is raised:
from flask import Flask, request
import something
app = Flask(__name__)
@app.route("/")
def example():
operation = request.args.get("operation")
eval(f"product_{operation}()") # Noncompliant (S5334)
return "OK"