Move S5527/S4830 + nosemgrep suppressions onto the lines Sonar/Codacy flag

JE-Chen · JE-Chen · commit 003344129d7d · 2026-04-26T22:28:10.000+08:00
S5527 attaches to the SSLContext(PROTOCOL_TLS_CLIENT) constructor,
not to the assignment that sets check_hostname=False. Extract the
two GUI client-context paths into module-level
_build_verifying_client_context / _build_insecure_client_context,
and put NOSONAR S4830 S5527 on the def line of the insecure builder
so the suppression sits on the line Sonar's flow analysis blames
(test_remote_desktop_tls.py gets the same treatment).

Codacy / Opengrep wants the suppression token on the same line as
the call; relocate the nosemgrep marker next to the existing
nosec B324 on the hashlib.sha1(...) line and use the rule path the
scanner actually emits
(python.lang.security.insecure-hash-algorithms... — no '.audit').
diff --git a/je_auto_control/gui/remote_desktop_tab.py b/je_auto_control/gui/remote_desktop_tab.py
@@ -109,6 +109,30 @@ def _scroll_amount(angle_delta: int) -> int:
     return 0
 
 
+def _build_verifying_client_context() -> ssl.SSLContext:
+    """TLS client context with full hostname + cert verification enabled."""
+    ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
+    ctx.minimum_version = ssl.TLSVersion.TLSv1_2
+    ctx.load_default_certs()
+    ctx.check_hostname = True
+    ctx.verify_mode = ssl.CERT_REQUIRED
+    return ctx
+
+
+def _build_insecure_client_context() -> ssl.SSLContext:  # NOSONAR S4830 S5527
+    """Opt-in self-signed loopback context — verification intentionally off.
+
+    Triggered only when the user ticks 'Skip cert verification' on the
+    Viewer panel; meant for self-signed dev / LAN hosts where the user
+    has already pinned the host out-of-band (token + 9-digit Host ID).
+    """
+    ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
+    ctx.minimum_version = ssl.TLSVersion.TLSv1_2
+    ctx.check_hostname = False
+    ctx.verify_mode = ssl.CERT_NONE
+    return ctx
+
+
 class _FrameDisplay(QWidget):
     """Paints the latest frame and emits remapped input events.
 
@@ -713,17 +737,9 @@ def _build_client_ssl_context(
             self, transport: str) -> Optional[ssl.SSLContext]:
         if transport not in ("TLS", "WSS"):
             return None
-        ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
-        ctx.minimum_version = ssl.TLSVersion.TLSv1_2
         if self._tls_insecure.isChecked():
-            # Explicit user opt-in for self-signed loopback / dev hosts.
-            ctx.check_hostname = False  # NOSONAR S5527
-            ctx.verify_mode = ssl.CERT_NONE  # NOSONAR S4830
-        else:
-            ctx.load_default_certs()
-            ctx.check_hostname = True
-            ctx.verify_mode = ssl.CERT_REQUIRED
-        return ctx
+            return _build_insecure_client_context()
+        return _build_verifying_client_context()
 
     def _start_audio_player_if_requested(self) -> None:
         if not (self._enable_audio.isChecked()
diff --git a/je_auto_control/utils/remote_desktop/ws_protocol.py b/je_auto_control/utils/remote_desktop/ws_protocol.py
@@ -134,8 +134,7 @@ def _compute_accept(key: str) -> str:
     # RFC 6455 mandates SHA-1 for the Sec-WebSocket-Accept handshake;
     # ``usedforsecurity=False`` tells linters this is a protocol-required
     # checksum, not a cryptographic primitive.
-    # nosemgrep: python.lang.security.audit.insecure-hash-algorithms.insecure-hash-algorithm-sha1
-    digest = hashlib.sha1(  # nosec B324  # reason: RFC 6455 handshake
+    digest = hashlib.sha1(  # nosec B324  # nosemgrep: python.lang.security.insecure-hash-algorithms.insecure-hash-algorithm-sha1
         key.encode("ascii") + WS_GUID,
         usedforsecurity=False,
     ).digest()
diff --git a/test/unit_test/headless/test_remote_desktop_tls.py b/test/unit_test/headless/test_remote_desktop_tls.py
@@ -88,12 +88,12 @@ def _trusting_client_context(ca_path: Path) -> ssl.SSLContext:
     return ctx
 
 
-def _insecure_client_context() -> ssl.SSLContext:
+def _insecure_client_context() -> ssl.SSLContext:  # NOSONAR S4830 S5527
     """Self-signed loopback test context — verification deliberately off."""
     ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
     ctx.minimum_version = ssl.TLSVersion.TLSv1_2
-    ctx.check_hostname = False  # NOSONAR S5527  # loopback self-signed test
-    ctx.verify_mode = ssl.CERT_NONE  # NOSONAR S4830  # loopback self-signed test
+    ctx.check_hostname = False
+    ctx.verify_mode = ssl.CERT_NONE
     return ctx
 
 
