@sap/eslint-plugin-cds 3.2.0 → 4.0.2

package/lib/rules/js/no-deep-sap-cds-import.js

@@ -0,0 +1,56 @@
+'use strict'
+const allowList = new Set([
+  // exception: not part of the facade and should be available to users this way
+  '@sap/cds/eslint.config.mjs'
+])
+
+/**
+ * @param {string} importPath
+ * @param {RuleContext} context
+ * @param {Node} node
+ */
+function checkImport (importPath, context, node) {
+  if (!importPath.startsWith('@sap/cds/')) return
+  if (allowList.has(importPath)) return
+  context.report({
+    node,
+    messageId: 'noDeepSapCdsImports',
+    data: { import: importPath }
+  })
+}
+
+module.exports = {
+  meta: {
+    type: 'problem',
+    docs: {
+      recommended: true,
+      category: 'JavaScript Validation',
+      description: 'Warn about deep imports from @sap/cds.'
+    },
+    schema: [],
+    messages: {
+      noDeepSapCdsImports: `"{{import}}" is a deep import. The API of @sap/cds is available only from its facade via 'require("@sap/cds")' or 'import ... from "@sap/cds"'.`,
+    },
+    hasSuggestions: false
+  },
+  create: context => ({
+    CallExpression(node) {
+      // look for: require('@sap/cds/...')
+      if (node.callee.type !== 'Identifier') return
+      if (node.callee.name !== 'require') return
+      if (node.arguments.length !== 1) return
+      if (node.arguments[0].type !== 'Literal') return
+      checkImport(node.arguments[0].value, context, node)
+    },
+
+    ImportDeclaration(node) {
+      // import ... from '@sap/cds/...'
+      checkImport(node.source.value, context, node)
+    },
+
+    ImportExpression(node) {
+      // await import('@sap/cds/...')
+      checkImport(node.source.value, context, node)
+    }
+  })
+}

package/lib/rules/js/no-shared-handler-variable.js

@@ -0,0 +1,73 @@
+/*
+Use cases not yet covered:
+
+//---------
+INLINE EXTENSION
+class FooService extends require('@sap/cds').ApplicationService { ... }
+
+//---------
+REFERENCED FUNCTION
+function bad() { ... }
+
+class ... {
+    this.on('', bad)
+}
+
+//---------
+METHOD
+class ... {
+    bad () {}
+
+    this.on('', this.bad)
+}
+
+//---------
+IMPORTED FUNCTION
+const { bad } = require('./bad')
+
+class ... {
+    this.on('', bad)
+}
+
+//---------
+NON-CLASS-BASED CDS SERVICE
+cds.services['myService'].on('READ', 'Books', () => {})
+*/
+
+'use strict'
+
+const { RULE_CATEGORIES } = require('../../constants')
+const { CdsHandlerRule } = require('./CdsHandlerRule')
+
+class NoSharedVariable extends CdsHandlerRule {
+  AssignmentExpression(node) {
+    if (!this.isInsideCapHandlerRegistration) return
+    const declaringScope = this.findDefinitionScope(node.left.name)
+    if (declaringScope?.isLocal === false) {
+      this.context.report({
+        node,
+        messageId: 'noSharedHandlerVariable',
+        data: {
+          definitionScope: declaringScope.scope.name
+        }
+      })
+    }
+  }
+}
+
+module.exports = {
+  meta: {
+    type: 'problem',
+    docs: {
+      recommended: true,
+      category: RULE_CATEGORIES.javascript,
+      description: 'Enforce that variables can not be used to share state between handlers.'
+    },
+    schema: [],
+    messages: {
+      noSharedHandlerVariable: 'Assignment to a non-local variable inside a CDS event handler (was declared in scope "{{definitionScope}}").'
+    },
+    hasSuggestions: true
+  },
+  create: context => new NoSharedVariable(context).asESLintVisitor()
+}

package/lib/rules/js/types.d.ts

@@ -0,0 +1,15 @@
+export declare namespace CdsContextTracker {
+    type VariableType = 'let' | 'const' | 'var' | 'import'
+
+    type Variable = {
+        name: string, 
+        original: string
+        type: VariableType,
+        isCdsVariable: boolean
+    }
+
+    type Scope = {
+        name: string,
+        variables: Variable[]
+    }
+}

package/lib/rules/js/use-cql-select-template-strings.js

@@ -0,0 +1,35 @@
+'use strict'
+
+const { RULE_CATEGORIES } = require('../../constants')
+const { CdsHandlerRule } = require('./CdsHandlerRule')
+
+class CqlSelectUseTemplateStrings extends CdsHandlerRule {
+  CallExpression(node) {
+    super.CallExpression(node)
+    if (node.callee?.name === 'SELECT' && node.arguments[0].type === 'TemplateLiteral') {
+      this.context.report({
+        node,
+        message: 'Do not use SELECT(`...`), which is prone to SQL injections.',
+        suggest: [{
+          desc: 'Use SELECT`...` instead',
+          fix: fixer => fixer.replaceText(node, `SELECT${this.context.getSourceCode().getText(node.arguments[0])}`)
+        }]
+      })
+    }
+  }
+}
+
+module.exports = {
+  meta: {
+    type: 'problem',
+    docs: {
+      recommended: true,
+      category: RULE_CATEGORIES.javascript,
+      description: 'Discourage use of SELECT(...), which allows SQL injections, in favour of SELECT`...`.'
+    },
+    fixable: 'code',
+    schema: [],
+    hasSuggestions: true
+  },
+  create: context => new CqlSelectUseTemplateStrings(context).asESLintVisitor()
+}

package/lib/rules/latest-cds-version.js

@@ -2,11 +2,13 @@
 
 const cp = require('child_process')
 const semver = require('semver')
+const { RULE_CATEGORIES } = require('../constants')
 
 module.exports = {
   meta: {
     schema: [{/* to avoid deprecation warning for ESLint 9 */}],
     docs: {
+      category: RULE_CATEGORIES.environment,
       description: 'Checks whether the latest `@sap/cds` version is being used.',
     },
     type: 'suggestion',

package/lib/rules/no-db-keywords.js

@@ -1,6 +1,7 @@
 'use strict'
 
 const cds = require('@sap/cds')
+const { RULE_CATEGORIES } = require('../constants')
 
 // REVISIT: Replace by compiler-provided check
 const RESERVED = cds.compile.to.sql.sqlite
@@ -11,6 +12,7 @@ module.exports = {
   meta: {
     schema: [{/* to avoid deprecation warning for ESLint 9 */}],
     docs: {
+      category: RULE_CATEGORIES.model,
       description: 'Avoid using reserved SQL keywords.',
       url: 'https://cap.cloud.sap/docs/tools/cds-lint/rules/no-db-keywords',
     },

package/lib/rules/no-dollar-prefixed-names.js

@@ -1,9 +1,45 @@
 'use strict'
 
+const { RULE_CATEGORIES } = require('../constants')
+
+/**
+ * Util to check if an entity is part of an external service.
+ */
+class ExternalServices {
+  hasExternalServices = false
+  externalServices = Object.create(null)
+
+  static create(model) {
+    return new ExternalServices(model)
+  }
+
+  constructor(model) {
+    for (const defName in model.definitions) {
+      const def = model.definitions[defName]
+      if (def?.kind === 'service' && def['@cds.external']) {
+        this.externalServices[defName] = true
+        this.hasExternalServices = true
+      }
+    }
+  }
+
+  isInExternalService(defName) {
+    if (!this.hasExternalServices)
+      return false // shortcut
+    const segments = defName.split('.')
+    for (let i = segments.length - 1; i >= 0; i--)
+      if (this.externalServices[segments.slice(0, i).join('.')])
+        return true
+    return false
+  }
+
+}
+
 module.exports = {
   meta: {
     schema: [{/* to avoid deprecation warning for ESLint 9 */}],
     docs: {
+      category: RULE_CATEGORIES.model,
       description: 'Names must not start with $ to avoid possible shadowing of reserved variables.',
       recommended: true,
       url: 'https://cap.cloud.sap/docs/tools/cds-lint/rules/no-dollar-prefixed-names',
@@ -13,17 +49,39 @@ module.exports = {
     },
     type: 'problem'
   },
-  create (context) {
-    return { element: _check }
 
-    function _check (d) {
-      const srv = d._service || (d.parent && d.parent._service)
-      if (srv && srv['@cds.external']) return
-      if (d.name.startsWith('$')) {
+  create(context) {
+    const model = context.getModel()
+    if (!model?.definitions)
+      return
+
+    const externals = ExternalServices.create(model)
+
+    return function checkAllElementsForDollarPrefix() {
+      for (const defName in model.definitions) {
+        if (!externals.isInExternalService(defName))
+          checkElements(defName, model.definitions[defName])
+      }
+    }
+
+    function checkElements(defName, def) {
+      if (!Object.hasOwn(def,'elements') || !def.elements || typeof def.elements !== 'object')
+        return
+
+      for (const elementName in def.elements) {
+        const element = def.elements[elementName]
+        check(elementName, element)
+        if (element.elements)
+          checkElements(elementName, element)
+      }
+    }
+
+    function check(name, def) {
+      if (name.startsWith('$')) {
         context.report({
           messageId: 'dollarPrefix',
-          data: { name: d.name },
-          node: context.getNode(d)
+          data: { name },
+          loc: context.getLocation(name, def, model),
         })
       }
     }

package/lib/rules/no-java-keywords.js

@@ -1,5 +1,6 @@
 'use strict'
 
+const { RULE_CATEGORIES } = require('../constants')
 // Check that Java keywords are not used as identifiers unless they have
 // a Java-specific annotation that renames/ignores them.  This avoids issues
 // later on in code-generation of CAP Java classes.
@@ -26,6 +27,7 @@ module.exports = {
   meta: {
     schema: [{/* to avoid deprecation warning for ESLint 9 */}],
     docs: {
+      category: RULE_CATEGORIES.model,
       description: 'Reject reserved Java keywords as CDS identifiers.',
       url: 'https://cap.cloud.sap/docs/tools/cds-lint/rules/no-java-keywords',
     },

package/lib/rules/no-join-on-draft.js

@@ -1,9 +1,12 @@
 'use strict'
 
+const { RULE_CATEGORIES } = require('../constants')
+
 module.exports = {
   meta: {
     schema: [{/* to avoid deprecation warning for ESLint 9 */}],
     docs: {
+      category: RULE_CATEGORIES.model,
       description: 'Draft-enabled entities shall not be used in views that make use of `JOIN`.',
       recommended: true,
       url: 'https://cap.cloud.sap/docs/tools/cds-lint/rules/no-join-on-draft',

package/lib/rules/sql-cast-suggestion.js

@@ -1,40 +1,64 @@
 'use strict'
 
+const { RULE_CATEGORIES } = require('../constants')
+
 module.exports = {
   meta: {
     schema: [{/* to avoid deprecation warning for ESLint 9 */}],
     docs: {
+      category: RULE_CATEGORIES.model,
       description: 'Should make suggestions for possible missing SQL casts.',
       recommended: true,
       url: 'https://cap.cloud.sap/docs/tools/cds-lint/rules/sql-cast-suggestion',
     },
     type: 'suggestion',
     messages: {
-      missingSQLCast: 'Potential issue - Missing SQL cast for column expression?'
-    }
+      missingSqlCast: 'Potential issue - Missing SQL cast for column expression?'
+    },
+    model: 'parsed',
   },
   create: function (context) {
-    return { view: checkSqlCast }
+    const model = context.getModel()
+    if (!model?.definitions)
+      return
+
+    return function checkAllElementsStartWithLowercase() {
+      for (const defName in model.definitions) {
+        const def = model.definitions[defName]
+        checkSqlCastsInView(defName, def)
+      }
+    }
 
-    function checkSqlCast (v) {
+    function checkSqlCastsInView(defName, def) {
       // TODO: restructure and make more robust (#507)
-      if (v?.query?.SET?.args) {
-        for (const arg of v.query.SET.args) {
-          if (arg?.SELECT) {
-            // Only in UNION cases?
-            for (const each of arg.SELECT.columns || []) {
-              if (each) {
-                const { xpr, cast } = each
-                if (cast && xpr) {
-                  if (!(xpr[0]?.xpr && xpr[0]?.cast)) {
-                    context.report({
-                      messageId: 'missingSQLCast',
-                      node: context.getNode(v)
-                    })
-                  }
-                }
-              }
-            }
+      if (!def?.query?.SET?.args?.length)
+        return
+
+      for (const arg of def.query.SET.args) {
+        if (arg?.SELECT?.columns?.length) {
+          // Only in UNION cases?
+          for (const col of arg.SELECT.columns) {
+            if (col)
+              checkColumn(col)
+          }
+        }
+      }
+
+      function checkColumn(col) {
+        const { xpr, cast } = col
+        if (cast && xpr) {
+          if (!(xpr[0]?.xpr && xpr[0]?.cast)) {
+            // we don't pass a name for the column's location, as it would be used to calculate
+            // endColumn, which is not correct for this expression
+            const loc = col.$location ?
+              context.getLocation('', col, model) :
+              context.getLocation(defName, def, model)
+
+            context.report({
+              messageId: 'missingSqlCast',
+              loc,
+              file: def.$location.file,
+            })
           }
         }
       }

package/lib/rules/sql-null-comparison.js

@@ -11,8 +11,7 @@ module.exports = {
       description: 'Ensure SQL comparisons with \'null\' are valid',
       category: 'Model Validation',
       recommended: false,
-      // TODO: Add documentation
-      // url: 'https://cap.cloud.sap/docs/tools/cds-lint/rules/sql-null-comparison',
+      url: 'https://cap.cloud.sap/docs/tools/cds-lint/rules/sql-null-comparison',
     },
     type: 'problem',
     model: 'parsed',
@@ -21,40 +20,45 @@ module.exports = {
     }
   },
   create(context) {
-    return {
-      view(v) {
-        forEachXprInDefinition(v, checkExpression)
-
-        function checkExpression(xpr, ctx) {
-          if (!xpr || !Array.isArray(xpr))
-            return
-
-          for (let i = 0; i < xpr.length; i++) {
-            if (typeof xpr[i] !== 'object')
-              continue // scalar value, etc.
-
-            if (xpr[i]?.val === null) {
-              const prev = i > 0 && typeof xpr[i-1] === 'string' ? xpr[i-1] : null
-              if (prev && invalidComparisonOperators.includes(prev)) {
-                reportComparison(xpr, ctx)
-                continue
-              }
-              const next = i+1 < xpr.length && typeof xpr[i+1] === 'string' ? xpr[i+1] : null
-              if (next && invalidComparisonOperators.includes(next))
-                reportComparison(xpr, ctx)
-            }
-          }
-        }
+    const model = context.getModel()
+    if (!model?.definitions)
+      return
 
-        function reportComparison(xpr, ctx) {
-          context.report({
-            messageId: 'nullComparison',
-            loc: context.getLocation(null, ctx),
-            file: ctx.$location?.file,
-          })
-        }
+    return function checkSqlNullComparisonsInModel() {
+      for (const defName in model.definitions) {
+        const def = model.definitions[defName]
+        if (def.query || def.projection)
+          forEachXprInDefinition(def, checkExpression)
+      }
+    }
+
+    function checkExpression(xpr, ctx) {
+      if (!xpr || !Array.isArray(xpr))
+        return
 
+      for (let i = 0; i < xpr.length; i++) {
+        if (typeof xpr[i] !== 'object')
+          continue // scalar value, etc.
+
+        if (xpr[i]?.val === null) {
+          const prev = i > 0 && typeof xpr[i-1] === 'string' ? xpr[i-1] : null
+          if (prev && invalidComparisonOperators.includes(prev)) {
+            reportComparison(xpr, ctx)
+            continue
+          }
+          const next = i+1 < xpr.length && typeof xpr[i+1] === 'string' ? xpr[i+1] : null
+          if (next && invalidComparisonOperators.includes(next))
+            reportComparison(xpr, ctx)
+        }
       }
     }
+
+    function reportComparison(xpr, ctx) {
+      context.report({
+        messageId: 'nullComparison',
+        loc: context.getLocation('', ctx),
+        file: ctx.$location?.file,
+      })
+    }
   }
 }

package/lib/rules/start-elements-lowercase.js

@@ -1,11 +1,14 @@
 'use strict'
 
+const { RULE_CATEGORIES } = require('../constants')
+
 const allowedUpperCaseElements = ['ID']
 
 module.exports = {
   meta: {
     schema: [{/* to avoid deprecation warning for ESLint 9 */}],
     docs: {
+      category: RULE_CATEGORIES.model,
       description: 'Regular element names should start with lowercase letters.',
       url: 'https://cap.cloud.sap/docs/tools/cds-lint/rules/start-elements-lowercase',
     },

package/lib/rules/start-entities-uppercase.js

@@ -1,11 +1,13 @@
 'use strict'
 
+const { RULE_CATEGORIES } = require('../constants')
 const { splitDefName } = require('../utils/rules')
 
 module.exports = {
   meta: {
     schema: [{/* to avoid deprecation warning for ESLint 9 */}],
     docs: {
+      category: RULE_CATEGORIES.model,
       description: 'Regular entity names should start with uppercase letters.',
       url: 'https://cap.cloud.sap/docs/tools/cds-lint/rules/start-entities-uppercase',
     },

package/lib/rules/valid-csv-header.js

@@ -3,6 +3,7 @@
 const cds = require('@sap/cds')
 const { basename, extname } = require('node:path')
 const findFuzzy = require('../utils/findFuzzy')
+const { RULE_CATEGORIES } = require('../constants')
 const SEP = '[,;\t]'
 const EOL = '\\r?\\n'
 
@@ -11,7 +12,7 @@ module.exports = {
     schema: [{/* to avoid deprecation warning for ESLint 9 */}],
     docs: {
       description: 'CSV files for entities must refer to valid element names.',
-      category: 'Model Validation',
+      category: RULE_CATEGORIES.csv,
       recommended: true,
       url: 'https://cap.cloud.sap/docs/tools/cds-lint/rules/valid-csv-header',
     },

package/lib/utils/createRule.js

@@ -127,7 +127,6 @@ function setMetaDefaults (meta) {
   meta ??= {}
   meta.severity ??= constants.DEFAULT_RULE_SEVERITY
   meta.docs ??= {}
-  meta.docs.category ??= constants.DEFAULT_RULE_CATEGORY
   meta.model ??= 'parsed'
   return meta
 }
@@ -184,8 +183,10 @@ function createReport (node, cdsContext, meta, create) {
 
 function sanitizeFileLocation (d) {
   let parent = d
-  while (!parent.$location && parent.parent && !parent.parent.definitions) parent = d.parent
-  if (parent.$location) d.$location = parent.$location
+  while (!parent.$location && parent.parent && !parent.parent.definitions)
+    parent = d.parent
+  if (parent.$location)
+    d.$location = parent.$location
   return d
 }
 
@@ -213,8 +214,11 @@ function extendContext (node, context, meta) {
 
   const cdscontext = Object.create(Object.getPrototypeOf(context), descriptors)
   const { parserServices } = context.sourceCode || context
-  cdscontext.getModel =
-    meta.model === 'inferred' ? parserServices.getInferredCsn : parserServices.getParsedCsn
+
+  cdscontext.getModel = meta.model === 'inferred'
+    ? parserServices.getInferredCsn
+    : parserServices.getParsedCsn
+
   cdscontext.getEnvironment = () => {
     const options = context.options
     return options && options[0] && options[0].environment ? options[0].environment : undefined

package/lib/utils/getConfigPath.js

@@ -11,23 +11,12 @@
 const fs = require('node:fs')
 const path = require('node:path')
 
-module.exports = (currentDir = '.', legacy=false) => {
+module.exports = (currentDir = '.') => {
   let configFiles = [
     'eslint.config.js',
     'eslint.config.cjs',
     'eslint.config.mjs'
   ]
-  if (legacy) {
-    configFiles = [
-      '.eslintrc.js',
-      '.eslintrc.cjs',
-      '.eslintrc.yaml',
-      '.eslintrc.yml',
-      '.eslintrc.json',
-      '.eslintrc',
-      'package.json',
-    ]
-  }
   let configDir = path.resolve(currentDir)
   while (configDir !== path.resolve(configDir, '..')) {
     for (const configFile of configFiles) {

package/lib/utils/rules.js

@@ -8,23 +8,24 @@ const findFuzzy = require('./findFuzzy')
 module.exports = {
   findFuzzy,
   /**
-   *
-   * @param {*} e
+   * @param {object} definition CSN definition object.
+   * @param {string} [name] The definition's name. Inferred for "linked CSN".
    */
-  splitDefName(e) {
+  splitDefName(definition, name = definition.name) {
+    if (!name)
+      return null
     // Entity names from CSN are of the form:
     // <namespace>.<service>.<def>.<'texts'|'localized'>|<composition value>
     let prefix = ''
     let suffix = ''
-    let defName = e.name
-    const names = defName.split('.')
-    defName = names[names.length - 1]
+    const names = name.split('.')
+    let defName = names[names.length - 1]
 
     if (defName) {
       // Managed composition get compiler tag `_up`
       let isManagedComposition = false
-      if (e.elements) {
-        isManagedComposition = Object.keys(e.elements).some(k => k === 'up_')
+      if (definition.elements) {
+        isManagedComposition = Object.keys(definition.elements).some(k => k === 'up_')
       }
       // Check for compiler tags
       const compilerTagsToExclude = ['texts', 'localized']
@@ -34,7 +35,7 @@ module.exports = {
         suffix = names[names.length - 1]
         defName = names[names.length - 2]
       }
-      prefix = e.name.split(`.${defName}`)[0]
+      prefix = name.split(`.${defName}`)[0]
     }
     return { prefix, name: defName, suffix }
   },