Python: Clarify SensitiveAttributeAccess

The comment about imports was placed wrong. I also realized we didn't
even have a single test-case for
`this.(DataFlow::AttrRead).getAttributeNameExpr() = sensitiveLookupStringConst(classification)`
so I added that (notice that this is only `getattr(foo, x)` and not
`getattr(foo, "password")`)

python/ql/test/experimental/dataflow/sensitive-data/test.py

@@ -29,6 +29,9 @@ foo = ObjectFromDatabase()
 foo.secret # $ SensitiveDataSource=secret
 foo.username # $ SensitiveDataSource=id
 
+getattr(foo, "password") # $ SensitiveDataSource=password
+x = "password"
+getattr(foo, x) # $ SensitiveDataSource=password
 
 # based on variable/parameter names
 def my_func(password): # $ SensitiveDataSource=password