Address remaining Codacy + SonarCloud suppressions

JE-Chen · JE-Chen · commit 1cd5d30f93d6 · 2026-04-22T13:15:24.000+08:00
- templates.py: branch the Jinja Environment ctor so autoescape is a literal
  True/False, satisfying Bandit B701 / SonarCloud S5496; the False branch
  carries the suppression for caller-opted-out renders.
- Use NOSONAR(rule_key) syntax (parentheses) to fix python:S7632 'invalid
  suppression comment' across archive_ops, ftp/client, _websocket,
  test_archive_ops, test_cross_backend, test_fsspec_bridge.
- _websocket SHA-1: add nosemgrep + NOSONAR inline on the call so Codacy's
  semgrep scanner skips the RFC 6455 handshake digest.
- test_fsspec_bridge: narrow the import-order disable to pylint so Codacy
  stops flagging the pytest.importorskip pattern.
- test_smb_client: annotate the smbclient_module fixture parameter whose
  only job is to trigger the smbprotocol patch.
diff --git a/automation_file/local/archive_ops.py b/automation_file/local/archive_ops.py
@@ -57,7 +57,7 @@ def list_archive(path: str | os.PathLike[str]) -> list[str]:
         with zipfile.ZipFile(path) as zf:
             return zf.namelist()
     if fmt.startswith("tar"):
-        with tarfile.open(path) as tf:  # nosec B202 - metadata listing only, no extraction
+        with tarfile.open(path) as tf:  # nosec B202  # NOSONAR(python:S5042) metadata listing only, no extraction
             return tf.getnames()
     if fmt == "7z":
         return _seven_zip_namelist(path)
@@ -88,13 +88,13 @@ def extract_archive(
 def _is_tar_stream(path: Path, compression: str) -> bool:
     try:
         if compression == "gz":
-            with tarfile.open(path, mode="r:gz"):  # nosec B202 - read-only probe
+            with tarfile.open(path, mode="r:gz"):  # nosec B202  # NOSONAR(python:S5042) read-only probe, no extraction
                 return True
         if compression == "bz2":
-            with tarfile.open(path, mode="r:bz2"):  # nosec B202 - read-only probe
+            with tarfile.open(path, mode="r:bz2"):  # nosec B202  # NOSONAR(python:S5042) read-only probe, no extraction
                 return True
         if compression == "xz":
-            with tarfile.open(path, mode="r:xz"):  # nosec B202 - read-only probe
+            with tarfile.open(path, mode="r:xz"):  # nosec B202  # NOSONAR(python:S5042) read-only probe, no extraction
                 return True
     except (tarfile.TarError, OSError):
         return False
@@ -125,7 +125,7 @@ def _extract_tar(source: Path, dest: Path) -> list[str]:
     names: list[str] = []
     # Per-member path containment + link rejection below; on 3.12+ the
     # tarfile.data_filter enforces the same rules at the C layer.
-    with tarfile.open(source) as tf:  # nosec B202 - entries validated before extract
+    with tarfile.open(source) as tf:  # nosec B202  # NOSONAR(python:S5042) entries validated before extract
         _apply_tar_data_filter(tf)
         for member in tf.getmembers():
             out = dest / member.name
diff --git a/automation_file/local/templates.py b/automation_file/local/templates.py
@@ -97,7 +97,13 @@ def _render_with_jinja(
         from jinja2 import TemplateError as JinjaTemplateError
     except ImportError:
         return None
-    env = Environment(autoescape=autoescape, undefined=StrictUndefined)
+    # Autoescape is enabled by default for HTML-like outputs (_wants_autoescape).
+    # Callers that explicitly pass autoescape=False own the safety of the context.
+    if autoescape:
+        env = Environment(autoescape=True, undefined=StrictUndefined)
+    else:
+        # nosec B701  # NOSONAR(pythonsecurity:S5496) caller opted out for non-HTML output
+        env = Environment(autoescape=False, undefined=StrictUndefined)
     try:
         return env.from_string(template).render(**context)
     except JinjaTemplateError as error:
diff --git a/automation_file/remote/ftp/client.py b/automation_file/remote/ftp/client.py
@@ -47,7 +47,7 @@ def later_init(self, options: FTPConnectOptions | None = None, **kwargs: Any) ->
             ftp: FTP = FTP_TLS(timeout=opts.timeout)
         else:
             # Plaintext FTP only when caller opts in via tls=False.
-            ftp = FTP(timeout=opts.timeout)  # nosec B321 NOSONAR python:S5332
+            ftp = FTP(timeout=opts.timeout)  # nosec B321  # NOSONAR(python:S4423) plaintext FTP is opt-in via tls=False
         try:
             ftp.connect(opts.host, opts.port, timeout=opts.timeout)
             if opts.tls and isinstance(ftp, FTP_TLS):
diff --git a/automation_file/server/_websocket.py b/automation_file/server/_websocket.py
@@ -27,8 +27,7 @@ def compute_accept_key(sec_websocket_key: str) -> str:
     security primitive. ``usedforsecurity=False`` tells static analysers to
     skip the standard SHA-1 "insecure hash" warning.
     """
-    # nosec B303 B324 - RFC 6455 handshake, not a security primitive.
-    digest = hashlib.sha1(
+    digest = hashlib.sha1(  # nosec B303 B324  # nosemgrep: python.lang.security.audit.hashlib-insecure-functions # NOSONAR(python:S4790) RFC 6455 handshake, not a security primitive
         (sec_websocket_key + _GUID).encode("ascii"),
         usedforsecurity=False,
     ).digest()
diff --git a/tests/test_archive_ops.py b/tests/test_archive_ops.py
@@ -25,7 +25,9 @@ def _make_zip(path: Path, entries: dict[str, bytes]) -> None:
 
 
 def _make_tar(path: Path, entries: dict[str, bytes], mode: str = "w") -> None:
-    with tarfile.open(path, mode) as tf:
+    with tarfile.open(
+        path, mode
+    ) as tf:  # NOSONAR(python:S5042) test fixture writes a known archive
         for name, data in entries.items():
             info = tarfile.TarInfo(name)
             info.size = len(data)
diff --git a/tests/test_cross_backend.py b/tests/test_cross_backend.py
@@ -44,7 +44,7 @@ def test_missing_local_source_returns_false(tmp_path: Path) -> None:
 def test_unknown_source_scheme_raises() -> None:
     # The target path is unused — the call must fail on the source scheme
     # before touching the filesystem. nosec B108 - filesystem never touched here.
-    unused_target = "/tmp/x"  # nosec B108 NOSONAR python:S5443
+    unused_target = "/tmp/x"  # nosec B108  # NOSONAR(python:S5443) filesystem never touched
     with pytest.raises(CrossBackendException):
         copy_between("gopher://a/b", unused_target)
 
diff --git a/tests/test_fsspec_bridge.py b/tests/test_fsspec_bridge.py
@@ -10,6 +10,7 @@
 
 fsspec = pytest.importorskip("fsspec")
 
+# pylint: disable=wrong-import-position  # importorskip must precede these imports
 from automation_file.exceptions import FsspecException  # noqa: E402
 from automation_file.remote.fsspec_bridge import (  # noqa: E402
     FsspecEntry,
@@ -25,7 +26,8 @@
 
 def _purge_memory_fs() -> None:
     fs = fsspec.filesystem("memory")
-    for path in list(fs.store):
+    # list() snapshot required — fs.rm() mutates fs.store during iteration.
+    for path in list(fs.store):  # NOSONAR(python:S7504)
         with contextlib.suppress(FileNotFoundError):
             fs.rm(path)
 
diff --git a/tests/test_smb_client.py b/tests/test_smb_client.py
@@ -100,7 +100,10 @@ def write(self, chunk: bytes) -> None:
     assert call_kwargs["mode"] == "wb"
 
 
-def test_upload_rejects_missing_local(smbclient_module: ModuleType, tmp_path: Path) -> None:
+def test_upload_rejects_missing_local(
+    smbclient_module: ModuleType,  # pylint: disable=unused-argument  # fixture triggers the smbprotocol patch
+    tmp_path: Path,
+) -> None:
     client = SMBClient("fs", "pub")
     with pytest.raises(SMBException):
         client.upload(tmp_path / "absent", "remote/data.bin")
