Mark reviewed SSTI + SHA-1 lines with NOSONAR on owning line

Keep the S5496 SSTI suppression next to the Jinja render call now that the
environment is an ImmutableSandboxedEnvironment, and split the websocket
handshake NOSONAR onto its own line so SonarCloud stops parsing the combined
comment as an unknown suppression directive (S7632).

Author: JE-Chen

automation_file/local/templates.py

@@ -112,7 +112,8 @@ def _render_with_jinja(
             for key, value in context.items()
         }
     try:
-        return env.from_string(template).render(**context)
+        # NOSONAR sandboxed env prevents SSTI escape (S5496 reviewed)
+        return env.from_string(template).render(**context)  # NOSONAR
     except JinjaTemplateError as error:
         raise TemplateException(f"jinja render failed: {error}") from error
 

automation_file/server/_websocket.py

@@ -27,7 +27,8 @@ def compute_accept_key(sec_websocket_key: str) -> str:
     security primitive. ``usedforsecurity=False`` tells static analysers to
     skip the standard SHA-1 "insecure hash" warning.
     """
-    digest = hashlib.sha1(  # nosec B324 nosemgrep NOSONAR RFC6455 handshake
+    # NOSONAR RFC 6455 handshake is not a security primitive
+    digest = hashlib.sha1(  # nosec B324 nosemgrep
         (sec_websocket_key + _GUID).encode("ascii"),
         usedforsecurity=False,
     ).digest()