Use plain NOSONAR syntax accepted by Sonar Python parser

JE-Chen · JE-Chen · commit 57bf4b716f3a · 2026-04-22T13:19:30.000+08:00
SonarCloud's python:S7632 rejects the NOSONAR(rule_key) parenthesized form
for Python files; the parser only accepts '# NOSONAR &lt;free-text&gt;'. Dropped
the rule-key qualifier on every suppression comment across archive_ops,
ftp/client, _websocket, templates, test_archive_ops, test_cross_backend,
and test_fsspec_bridge. In templates.py, also put NOSONAR on the actual
render call so pythonsecurity:S5496 stops flagging the return expression.
diff --git a/automation_file/local/archive_ops.py b/automation_file/local/archive_ops.py
@@ -57,7 +57,7 @@ def list_archive(path: str | os.PathLike[str]) -> list[str]:
         with zipfile.ZipFile(path) as zf:
             return zf.namelist()
     if fmt.startswith("tar"):
-        with tarfile.open(path) as tf:  # nosec B202  # NOSONAR(python:S5042) metadata listing only, no extraction
+        with tarfile.open(path) as tf:  # nosec B202  # NOSONAR metadata listing only, no extraction
             return tf.getnames()
     if fmt == "7z":
         return _seven_zip_namelist(path)
@@ -88,13 +88,13 @@ def extract_archive(
 def _is_tar_stream(path: Path, compression: str) -> bool:
     try:
         if compression == "gz":
-            with tarfile.open(path, mode="r:gz"):  # nosec B202  # NOSONAR(python:S5042) read-only probe, no extraction
+            with tarfile.open(path, mode="r:gz"):  # nosec B202  # NOSONAR read-only probe, no extraction
                 return True
         if compression == "bz2":
-            with tarfile.open(path, mode="r:bz2"):  # nosec B202  # NOSONAR(python:S5042) read-only probe, no extraction
+            with tarfile.open(path, mode="r:bz2"):  # nosec B202  # NOSONAR read-only probe, no extraction
                 return True
         if compression == "xz":
-            with tarfile.open(path, mode="r:xz"):  # nosec B202  # NOSONAR(python:S5042) read-only probe, no extraction
+            with tarfile.open(path, mode="r:xz"):  # nosec B202  # NOSONAR read-only probe, no extraction
                 return True
     except (tarfile.TarError, OSError):
         return False
@@ -125,7 +125,7 @@ def _extract_tar(source: Path, dest: Path) -> list[str]:
     names: list[str] = []
     # Per-member path containment + link rejection below; on 3.12+ the
     # tarfile.data_filter enforces the same rules at the C layer.
-    with tarfile.open(source) as tf:  # nosec B202  # NOSONAR(python:S5042) entries validated before extract
+    with tarfile.open(source) as tf:  # nosec B202  # NOSONAR entries validated before extract
         _apply_tar_data_filter(tf)
         for member in tf.getmembers():
             out = dest / member.name
diff --git a/automation_file/local/templates.py b/automation_file/local/templates.py
@@ -102,9 +102,11 @@ def _render_with_jinja(
     if autoescape:
         env = Environment(autoescape=True, undefined=StrictUndefined)
     else:
-        # nosec B701  # NOSONAR(pythonsecurity:S5496) caller opted out for non-HTML output
-        env = Environment(autoescape=False, undefined=StrictUndefined)
+        env = Environment(  # nosec B701  # NOSONAR caller opted out for non-HTML output
+            autoescape=False, undefined=StrictUndefined
+        )
     try:
+        # NOSONAR autoescape state enforced at the Environment above
         return env.from_string(template).render(**context)
     except JinjaTemplateError as error:
         raise TemplateException(f"jinja render failed: {error}") from error
diff --git a/automation_file/remote/ftp/client.py b/automation_file/remote/ftp/client.py
@@ -47,7 +47,7 @@ def later_init(self, options: FTPConnectOptions | None = None, **kwargs: Any) ->
             ftp: FTP = FTP_TLS(timeout=opts.timeout)
         else:
             # Plaintext FTP only when caller opts in via tls=False.
-            ftp = FTP(timeout=opts.timeout)  # nosec B321  # NOSONAR(python:S4423) plaintext FTP is opt-in via tls=False
+            ftp = FTP(timeout=opts.timeout)  # nosec B321  # NOSONAR plaintext FTP is opt-in via tls=False
         try:
             ftp.connect(opts.host, opts.port, timeout=opts.timeout)
             if opts.tls and isinstance(ftp, FTP_TLS):
diff --git a/automation_file/server/_websocket.py b/automation_file/server/_websocket.py
@@ -27,7 +27,7 @@ def compute_accept_key(sec_websocket_key: str) -> str:
     security primitive. ``usedforsecurity=False`` tells static analysers to
     skip the standard SHA-1 "insecure hash" warning.
     """
-    digest = hashlib.sha1(  # nosec B303 B324  # nosemgrep: python.lang.security.audit.hashlib-insecure-functions # NOSONAR(python:S4790) RFC 6455 handshake, not a security primitive
+    digest = hashlib.sha1(  # nosec B303 B324  # nosemgrep: python.lang.security.audit.hashlib-insecure-functions  # NOSONAR RFC 6455 handshake, not a security primitive
         (sec_websocket_key + _GUID).encode("ascii"),
         usedforsecurity=False,
     ).digest()
diff --git a/tests/test_archive_ops.py b/tests/test_archive_ops.py
@@ -25,9 +25,7 @@ def _make_zip(path: Path, entries: dict[str, bytes]) -> None:
 
 
 def _make_tar(path: Path, entries: dict[str, bytes], mode: str = "w") -> None:
-    with tarfile.open(
-        path, mode
-    ) as tf:  # NOSONAR(python:S5042) test fixture writes a known archive
+    with tarfile.open(path, mode) as tf:  # NOSONAR test fixture writes a known archive
         for name, data in entries.items():
             info = tarfile.TarInfo(name)
             info.size = len(data)
diff --git a/tests/test_cross_backend.py b/tests/test_cross_backend.py
@@ -44,7 +44,7 @@ def test_missing_local_source_returns_false(tmp_path: Path) -> None:
 def test_unknown_source_scheme_raises() -> None:
     # The target path is unused — the call must fail on the source scheme
     # before touching the filesystem. nosec B108 - filesystem never touched here.
-    unused_target = "/tmp/x"  # nosec B108  # NOSONAR(python:S5443) filesystem never touched
+    unused_target = "/tmp/x"  # nosec B108  # NOSONAR filesystem never touched — call fails on source scheme
     with pytest.raises(CrossBackendException):
         copy_between("gopher://a/b", unused_target)
 
diff --git a/tests/test_fsspec_bridge.py b/tests/test_fsspec_bridge.py
@@ -27,7 +27,7 @@
 def _purge_memory_fs() -> None:
     fs = fsspec.filesystem("memory")
     # list() snapshot required — fs.rm() mutates fs.store during iteration.
-    for path in list(fs.store):  # NOSONAR(python:S7504)
+    for path in list(fs.store):  # NOSONAR snapshot required — fs.rm mutates fs.store
         with contextlib.suppress(FileNotFoundError):
             fs.rm(path)
 
