Clear remaining SonarCloud + Codacy findings on PR #181

- Drop AudioBackendError from except tuples that already catch
  RuntimeError; AudioBackendError is a RuntimeError subclass
  (S5713 ×4 in host.py and remote_desktop_tab.py).
- Remove the now-unused AudioBackendError, _AUDIO_BLOCK_FRAMES,
  _AUDIO_CHANNELS, _AUDIO_SAMPLE_RATE imports from host.py and tab.py
  (Codacy F401).
- Move NOSONAR S5527 / S4830 onto the actual ctx.check_hostname /
  ctx.verify_mode lines in remote_desktop_tab.py and the TLS test;
  Sonar only honours suppression when the comment is on the flagged
  line itself.
- Replace '/tmp/...' literals in test_remote_desktop_file_transfer.py
  with relative 'drop/...' paths so Sonar's S5443 publicly-writable
  directory hotspot stops firing on what was always pure in-memory
  test data.
- Add a 'nosemgrep:' annotation alongside the existing 'nosec B324'
  on the RFC 6455 SHA-1 line so Codacy's Semgrep ruleset stops
  flagging it.

Author: JE-Chen

.idea/workspace.xml

@@ -38,8 +38,7 @@
     WebSocketDesktopHost, WebSocketDesktopViewer,
 )
 from je_auto_control.utils.remote_desktop.audio import (
-    AudioBackendError, AudioCaptureConfig, AudioPlayer,
-    is_audio_backend_available,
+    AudioCaptureConfig, AudioPlayer, is_audio_backend_available,
 )
 from je_auto_control.utils.remote_desktop.host_id import (
     HostIdError, format_host_id, parse_host_id,
@@ -473,7 +472,7 @@ def _start(self) -> None:
                 ),
             )
             host.start()
-        except (OSError, ValueError, RuntimeError, AudioBackendError) as error:
+        except (OSError, ValueError, RuntimeError) as error:
             QMessageBox.warning(self, _t("rd_host_start"), str(error))
             return
         registry._host = host  # noqa: SLF001  centralised lifecycle ownership
@@ -717,9 +716,9 @@ def _build_client_ssl_context(
         ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
         ctx.minimum_version = ssl.TLSVersion.TLSv1_2
         if self._tls_insecure.isChecked():
-            # NOSONAR S5527 S4830  # reason: explicit user opt-in for self-signed
-            ctx.check_hostname = False
-            ctx.verify_mode = ssl.CERT_NONE
+            # Explicit user opt-in for self-signed loopback / dev hosts.
+            ctx.check_hostname = False  # NOSONAR S5527
+            ctx.verify_mode = ssl.CERT_NONE  # NOSONAR S4830
         else:
             ctx.load_default_certs()
             ctx.check_hostname = True
@@ -733,7 +732,7 @@ def _start_audio_player_if_requested(self) -> None:
         try:
             player = AudioPlayer()
             player.start()
-        except (AudioBackendError, OSError, RuntimeError) as error:
+        except (OSError, RuntimeError) as error:
             self._status.setText(f"{_t('rd_viewer_audio_play')}: {error}")
             return
         self._audio_player = player

je_auto_control/gui/remote_desktop_tab.py

@@ -10,10 +10,7 @@
 
 from je_auto_control.utils.logging.logging_instance import autocontrol_logger
 from je_auto_control.utils.remote_desktop.audio import (
-    AudioBackendError, AudioCapture, AudioCaptureConfig,
-    DEFAULT_BLOCK_FRAMES as _AUDIO_BLOCK_FRAMES,
-    DEFAULT_CHANNELS as _AUDIO_CHANNELS,
-    DEFAULT_SAMPLE_RATE as _AUDIO_SAMPLE_RATE,
+    AudioCapture, AudioCaptureConfig,
 )
 from je_auto_control.utils.remote_desktop.auth import (
     make_nonce, verify_response,
@@ -430,7 +427,7 @@ def _start_audio_capture(self) -> None:
             self._audio_capture = self._audio_capture_override
             try:
                 self._audio_capture.start()
-            except (AudioBackendError, OSError, RuntimeError) as error:
+            except (OSError, RuntimeError) as error:
                 autocontrol_logger.warning(
                     "remote_desktop audio capture failed to start: %r", error,
                 )
@@ -445,7 +442,7 @@ def _start_audio_capture(self) -> None:
                 block_frames=config.block_frames,
             )
             capture.start()
-        except (AudioBackendError, OSError, RuntimeError) as error:
+        except (OSError, RuntimeError) as error:
             autocontrol_logger.warning(
                 "remote_desktop audio capture disabled: %r", error,
             )

je_auto_control/utils/remote_desktop/host.py

@@ -134,6 +134,7 @@ def _compute_accept(key: str) -> str:
     # RFC 6455 mandates SHA-1 for the Sec-WebSocket-Accept handshake;
     # ``usedforsecurity=False`` tells linters this is a protocol-required
     # checksum, not a cryptographic primitive.
+    # nosemgrep: python.lang.security.audit.insecure-hash-algorithms.insecure-hash-algorithm-sha1
     digest = hashlib.sha1(  # nosec B324  # reason: RFC 6455 handshake
         key.encode("ascii") + WS_GUID,
         usedforsecurity=False,

je_auto_control/utils/remote_desktop/ws_protocol.py

@@ -29,10 +29,10 @@ def _wait_until(predicate, timeout: float = 4.0,
 
 def test_begin_round_trip():
     tid = new_transfer_id()
-    payload = encode_begin(tid, "/tmp/a.bin", 4242)
+    payload = encode_begin(tid, "drop/a.bin", 4242)
     out_id, dest, size = decode_begin(payload)
     assert out_id == tid
-    assert dest == "/tmp/a.bin"
+    assert dest == "drop/a.bin"
     assert size == 4242
 
 
@@ -59,7 +59,7 @@ def test_decode_chunk_short_payload_raises():
 
 def test_encode_begin_rejects_invalid_id():
     with pytest.raises(FileTransferError):
-        encode_begin("short", "/tmp/x", 1)
+        encode_begin("short", "drop/x", 1)
 
 
 # --- send_file <-> FileReceiver in-process round-trip --------------------

test/unit_test/headless/test_remote_desktop_file_transfer.py

@@ -89,11 +89,11 @@ def _trusting_client_context(ca_path: Path) -> ssl.SSLContext:
 
 
 def _insecure_client_context() -> ssl.SSLContext:
-    # NOSONAR S5527 S4830 S4423  # reason: self-signed loopback test
+    """Self-signed loopback test context — verification deliberately off."""
     ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
     ctx.minimum_version = ssl.TLSVersion.TLSv1_2
-    ctx.check_hostname = False
-    ctx.verify_mode = ssl.CERT_NONE
+    ctx.check_hostname = False  # NOSONAR S5527  # loopback self-signed test
+    ctx.verify_mode = ssl.CERT_NONE  # NOSONAR S4830  # loopback self-signed test
     return ctx