Use bare nosemgrep and ESLint block-disables so Codacy honours suppressions

Author: JE-Chen

browser-extension/background.js

@@ -26,9 +26,10 @@ async function loadState() {
     // fires on the spread of an unsanitised storage value. ``stored``
     // is whatever chrome.storage round-trips for us; we only ever
     // copy own enumerable properties onto a fresh default.
-    // eslint-disable-next-line security/detect-object-injection
+    /* eslint-disable security/detect-object-injection */
     const saved = Object.prototype.hasOwnProperty.call(stored, STATE_KEY)
         ? stored[STATE_KEY] : null;
+    /* eslint-enable security/detect-object-injection */
     if (saved == null || typeof saved !== "object") {
         return Object.assign({}, DEFAULT_STATE);
     }
@@ -81,7 +82,7 @@ export function actionFor(event) {
     }
 }
 
-// eslint-disable-next-line security-node/detect-unhandled-async-errors
+/* eslint-disable security-node/detect-unhandled-async-errors */
 async function handleMessage(message, _sender, sendResponse) {
     const state = await loadState();
     switch (message?.command) {
@@ -129,6 +130,7 @@ async function handleMessage(message, _sender, sendResponse) {
             sendResponse({ ok: false, reason: "unknown command" });
     }
 }
+/* eslint-enable security-node/detect-unhandled-async-errors */
 
 if (typeof chrome !== "undefined" && chrome.runtime) {
     chrome.runtime.onMessage.addListener((message, sender, sendResponse) => {

browser-extension/popup.js

@@ -10,7 +10,7 @@ function send(command, extra = {}) {
     });
 }
 
-// eslint-disable-next-line security-node/detect-unhandled-async-errors
+/* eslint-disable security-node/detect-unhandled-async-errors */
 async function refresh() {
     const reply = await send("status");
     const state = reply.state || {};
@@ -19,6 +19,7 @@ async function refresh() {
     document.getElementById("count").textContent =
         String((state.actions || []).length);
 }
+/* eslint-enable security-node/detect-unhandled-async-errors */
 
 // Wrap every async event-handler invocation of refresh() in a logged
 // .catch so a thrown promise can't drop silently

je_auto_control/linux_wayland/keyboard.py

@@ -45,8 +45,7 @@ def _run(argv: list, *, timeout: float = 5.0) -> None:
     # argv comes from a private allow-list (wtype / ydotool absolute
     # paths via shutil.which), never user input; no shell=True.
     try:
-        # nosemgrep: python.lang.security.audit.dangerous-subprocess-use-audit
-        subprocess.run(  # nosec B603
+        subprocess.run(  # nosec B603  # nosemgrep
             argv, check=True, timeout=timeout,
             stdout=subprocess.DEVNULL, stderr=subprocess.PIPE,
         )

je_auto_control/linux_wayland/mouse.py

@@ -43,8 +43,7 @@ def _run(argv: list, *, timeout: float = 5.0) -> None:
     # argv comes from a private allow-list (ydotool absolute path via
     # shutil.which), never user input; no shell=True.
     try:
-        # nosemgrep: python.lang.security.audit.dangerous-subprocess-use-audit
-        subprocess.run(  # nosec B603
+        subprocess.run(  # nosec B603  # nosemgrep
             argv, check=True, timeout=timeout,
             stdout=subprocess.DEVNULL, stderr=subprocess.PIPE,
         )

je_auto_control/linux_wayland/screen.py

@@ -40,8 +40,7 @@ def _run(argv: list, *, timeout: float = 10.0) -> bytes:
     # argv comes from a private allow-list (grim / wlr-randr absolute
     # paths via shutil.which), never user input; no shell=True.
     try:
-        # nosemgrep: python.lang.security.audit.dangerous-subprocess-use-audit
-        completed = subprocess.run(  # nosec B603
+        completed = subprocess.run(  # nosec B603  # nosemgrep
             argv, check=True, timeout=timeout,
             stdout=subprocess.PIPE, stderr=subprocess.PIPE,
         )

test/unit_test/headless/test_self_healing.py

@@ -232,8 +232,7 @@ def test_package_facade_stays_qt_free():
     )
     # subprocess spawned with [sys.executable, ...] — known interpreter,
     # fixed argv list, no shell=True, no user input.
-    # nosemgrep: python.lang.security.audit.dangerous-subprocess-use-audit
-    result = subprocess.run(  # nosec B603
+    result = subprocess.run(  # nosec B603  # nosemgrep
         [sys.executable, "-c", script],
         capture_output=True, text=True, check=True, timeout=60,
     )

test/unit_test/headless/test_wayland_backend.py

@@ -96,8 +96,7 @@ def runner(argv, **_kwargs):
         captured.append(list(argv))
         # CompletedProcess is a *constructor* (not a process spawn);
         # used here to mock subprocess.run's return value.
-        # nosemgrep: python.lang.security.audit.dangerous-subprocess-use-audit
-        result = subprocess.CompletedProcess(argv, 0, b"", b"")
+        result = subprocess.CompletedProcess(argv, 0, b"", b"")  # nosemgrep
         return result
     return runner
 
@@ -234,9 +233,8 @@ def test_screenshot_calls_grim_with_path():
     with patch.object(wayland_screen, "binary_path",
                       return_value="/usr/bin/grim"), \
          patch.object(wayland_screen.subprocess, "run",
-                      # nosemgrep: python.lang.security.audit.dangerous-subprocess-use-audit
                       side_effect=lambda argv, **kw: (captured.append(argv)
-                       or subprocess.CompletedProcess(argv, 0, b"", b""))):
+                       or subprocess.CompletedProcess(argv, 0, b"", b""))):  # nosemgrep
         wayland_screen.screenshot("out.png")
     assert captured == [["/usr/bin/grim", "out.png"]]