Fix Codacy findings on PR 202

- use-defused-xml: switch test XML parse to defusedxml.ElementTree; justify
  the write-only xml.etree import in reports.py (no untrusted parsing)
- dangerous-subprocess-use-audit: nosemgrep on the Qt-free subprocess probe
  (fixed argv, sys.executable, no shell)
- pylint not-callable: disable on registry.usb_client getter guarded by callable()

Author: JE-Chen

je_auto_control/utils/remote_desktop/registry.py

@@ -363,6 +363,7 @@ def webrtc_usb_client(self):
         if viewer is None:
             return None
         getter = getattr(viewer, "usb_client", None)
+        # pylint: disable=not-callable  # reason: guarded by callable(getter)
         return getter() if callable(getter) else None
 
 

je_auto_control/utils/test_suite/reports.py

@@ -12,7 +12,7 @@
 
 import json
 import uuid
-import xml.etree.ElementTree as ET
+import xml.etree.ElementTree as ET  # nosemgrep  # nosec B405  # reason: write-only XML generation; never parses untrusted input
 from pathlib import Path
 from typing import Any, Dict, List
 

test/unit_test/headless/test_assertions.py

@@ -30,7 +30,7 @@ def test_assertion_import_stays_qt_free():
         "qt = [m for m in sys.modules if 'PySide6' in m]\n"
         "import json; print(json.dumps(qt))\n"
     )
-    result = subprocess.run(  # nosec B603
+    result = subprocess.run(  # nosec B603  # nosemgrep
         [sys.executable, "-c", script],
         capture_output=True, text=True, check=True, timeout=60,
     )

test/unit_test/headless/test_test_suite.py

@@ -1,5 +1,5 @@
 """Headless tests for the QA suite runner, reports, and quarantine."""
-import xml.etree.ElementTree as ET
+import defusedxml.ElementTree as ET
 from pathlib import Path
 
 import pytest