@sap/eslint-plugin-cds 4.0.2 → 4.1.1

package/CHANGELOG.md

@@ -6,7 +6,22 @@ This project adheres to [Semantic Versioning](https://semver.org/).
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/).
 
-## [4.1.0] - 2025-05-27
+## [4.1.1] - 2025-12-04
+### Added
+- Top level type definitions for package export
+
+
+## [4.1.0] - 2025-08-18
+### Added
+- Add new rule `case-sensitive-well-known-events` to detect when a well known event is not cased correctly.
+
+### Changed
+- Adjust `no-shared-handler-variables` to also detect shared states when handler refers to a locally defined function, rather than an inline declaration.
+- Rule `use-cql-select-template-strings` now also catches offending template strings in other query parts than just `SELECT`.
+- Rule `no-shared-handler-variables` now also checks functions that are not part of a class extending `cds.ApplicationService`, if the function has an explicit type annotation `@type {import('@sap/cds').CRUDEventHandler.Before}`, `@type {import('@sap/cds').CRUDEventHandler.On}`, or `@type {import('@sap/cds').CRUDEventHandler.After}`.
+
+### Fixed
+- `no-cross-service-import` rule no longer crashes when some file has an unexpected name.
 
 
 ## [4.0.2] - 2025-05-27

package/lib/conf/index.js

@@ -4,6 +4,18 @@ const path = require('node:path')
 const { FILES, GLOBALS } = require('../constants')
 const { parserPath } = require('../api')
 
+function _createJavaConfig (plugin, configName) {
+  return {
+    name: '@sap/cds/java',
+    plugins: {
+      '@sap/cds': plugin,
+    },
+    files: ['**/*.java'],
+    language: '@sap/cds/java',
+    rules: require(path.join(__dirname, 'java', configName)),
+  }
+}
+
 function _createJsConfig (plugin, configName) {
   return {
     name: '@sap/cds/js',
@@ -43,6 +55,11 @@ module.exports = function (plugin) {
     js: {
       all: _createJsConfig(plugin, 'all'),
       recommended: _createJsConfig(plugin, 'recommended')
+    },
+    java: {
+      all: _createJavaConfig(plugin, 'all'),
+      recommended: _createJavaConfig(plugin, 'recommended'),
+      experimental: _createJavaConfig(plugin, 'experimental')
     }
   }
 }

package/lib/conf/java/all.js

@@ -0,0 +1,5 @@
+'use strict'
+
+module.exports = {
+  '@sap/cds/cql-class-targets': 'warn',
+}

package/lib/conf/java/experimental.js

@@ -0,0 +1,5 @@
+'use strict'
+
+module.exports = {
+  '@sap/cds/cql-class-targets': 'warn',
+}

package/lib/conf/java/recommended.js

@@ -0,0 +1,3 @@
+'use strict'
+
+module.exports = {}

package/lib/conf/js/all.js

@@ -2,7 +2,8 @@
 
 module.exports = {
   '@sap/cds/no-shared-handler-variable': 'error',
-  '@sap/cds/use-cql-select-template-strings': 'error',
+  '@sap/cds/cql-template-strings': 'error',
   '@sap/cds/no-cross-service-import': 'warn',
   '@sap/cds/no-deep-sap-cds-import': 'warn',
+  '@sap/cds/case-sensitive-well-known-events': 'warn',
 }

package/lib/conf/js/recommended.js

@@ -2,7 +2,8 @@
 
 module.exports = {
   '@sap/cds/no-shared-handler-variable': 'error',
-  '@sap/cds/use-cql-select-template-strings': 'error',
+  '@sap/cds/cql-template-strings': 'error',
   '@sap/cds/no-cross-service-import': 'warn',
   '@sap/cds/no-deep-sap-cds-import': 'warn',
+  '@sap/cds/case-sensitive-well-known-events': 'warn',
 }

package/lib/constants.js

@@ -21,6 +21,7 @@ const RULE_CATEGORIES = {
   javascript: 'JavaScript Validation',
   environment: 'Environment Validation',
   csv: 'CSV Validation',
+  java: 'Java Validation'
 }
 const DEFAULT_RULE_CATEGORY = 'Model Validation'
 const DEFAULT_RULE_FLAVOR = RULE_FLAVORS[0]

package/lib/index.js

@@ -18,26 +18,31 @@
 
 const api = require('./api')
 const getConfigs = require('./conf')
-const rules = Object.assign(
-  {},
-  ...Object.entries(require('./rules')).map(([k, v]) => ({ [k]: v() }))
-)
-
+const { allRules, initialiseRules } = require('./rules')
+const { javaLanguage } = require('./languages/java/java-language')
 const packageJson = require('../package.json')
 
+const rules = initialiseRules(allRules)
+
 const plugin = {
   meta: {
     name: packageJson.name,
     version: packageJson.version
   },
+  languages: {
+    java: javaLanguage
+  },
   configs: {},
   rules,
   ...api
 }
 
-// Assign configs here so we can reference `plugin`
-Object.assign(plugin.configs, getConfigs(plugin))
-
 // Use commonJS entry point to ensure backwards compatibility (<eslint@v9):
 // https://eslint.org/docs/latest/extend/plugin-migration-flat-config#backwards-compatibility
-module.exports = plugin
+// spread and mix object to be able to reference plugin in getConfigs
+module.exports = {
+  ...plugin,
+  ...{
+    configs: getConfigs(plugin)
+  }
+}

package/lib/languages/java/java-language.js

@@ -0,0 +1,69 @@
+'use strict'
+
+const TreeSitterParser = require('tree-sitter')
+const Java = require('tree-sitter-java')
+const { JavaSourceCode } = require('./java-source-code')
+
+/**
+ * @typedef {object} JavaLanguageOptions
+ * @typedef {{languageOptions: JavaLanguageOptions}} JavaLanguageContext
+ */
+
+const jp = new TreeSitterParser()
+jp.setLanguage(Java)
+
+/**
+ * @param {import('@eslint/core').File} file
+ * @param {JavaLanguageContext} context
+ */
+function parseJavaCode (file /*, context*/) {
+  const code = file.body
+  const treeSitterAst = jp.parse(code)
+
+  if (!treeSitterAst) {
+    return { ast: null, ok: false }
+  }
+  if (!treeSitterAst.rootNode) {
+    return { ast: treeSitterAst, ok: false }
+  }
+  return { ast: treeSitterAst, ok: true }
+}
+
+/**
+ * @param {import('@eslint/core').File} file
+ * @param {ReturnType<typeof parseJavaCode>} parseResult
+ * @param {JavaLanguageContext} context
+ */
+function createJavaSourceCode(file, parseResult /*, context*/) {
+  if (!parseResult.ok || !parseResult.ast) {
+    throw new Error('createJavaSourceCode: parseResult is not ok or has no AST', {
+      ok: parseResult.ok,
+      hasAst: !!parseResult.ast
+    })
+  }
+  return new JavaSourceCode({ text: file.body, ast: parseResult.ast })
+}
+
+/**
+ * @param {JavaLanguageOptions} languageOptions
+ */
+function validateJavaLanguageOptions(/*languageOptions*/) {
+  // No specific options to validate for Java currently
+}
+
+/**
+ * @link https://eslint.org/docs/latest/extend/languages#the-language-object
+ */
+const javaLanguage = /** @type {const}*/({
+  fileType: 'text',
+  lineStart: 0,
+  columnStart: 0,
+  nodeTypeKey: 'type',
+  validateLanguageOptions: validateJavaLanguageOptions,
+  parse: parseJavaCode,
+  createSourceCode: createJavaSourceCode
+})
+
+module.exports = {
+  javaLanguage,
+}

package/lib/languages/java/java-source-code.js

@@ -0,0 +1,179 @@
+'use strict'
+
+// not 100% accurate, as it matches _any_ comment containing 'eslint-disable' etc.
+// but in Java sources, users will hopefully only mention eslint-* when they
+// actually mean to configure ESLint.
+const INLINE_CONFIG = /eslint(?:-enable|-disable(?:(?:-next)?-line)?)?(?:\s|$)/u
+
+/**
+ * @link see https://github.com/eslint/json/blob/main/src/languages/json-source-code.js
+ */
+const {
+  VisitNodeStep,
+  TextSourceCodeBase,
+  Directive
+} = require('@eslint/plugin-kit')
+
+/** @typedef {'disable' | 'enable' | 'disable-next-line' | 'disable-line'} DirectiveType */
+
+
+/**
+ * @param {import('tree-sitter').SyntaxNode} comment
+ * @returns {{
+ *  label: 'eslint-disable' | 'eslint-enable' | 'eslint-disable-next-line' | 'eslint-disable-line',
+ *  value: string,
+ *  justification: string | undefined
+ * }}
+ */
+function parseDirective(comment) {
+  // label, value, justification
+  //      * but before the "--" that indicates the justification.
+  const [, label, value, justification] = comment.text.match(/^\W*(eslint[\w-]*) (\S+)(?: -- (.+))?/)
+  return { label, value, justification}
+}
+
+class JavaTraversalStep extends VisitNodeStep {
+  /** @param {{ target: unknown, phase: 1|2, args: Array<any> }} arg0 */
+  constructor({ target, phase, args }) {
+    super({ target, phase, args })
+  }
+}
+
+/**
+ * @param {import('tree-sitter').SyntaxNode} node
+ * @param {(node: import('tree-sitter').SyntaxNode) => void} enterAction
+ * @param {undefined | (node: import('tree-sitter').SyntaxNode) => void} exitAction
+ */
+function traverse(node, enterAction, exitAction) {
+  enterAction?.(node)
+  //steps.push(new JavaTraversalStep({ target: node, phase: 1, args: [] }))
+  for (const child of node.children) {
+    traverse(child, enterAction, exitAction)
+  }
+  exitAction?.(node)
+}
+
+
+/** @param {import('tree-sitter').SyntaxNode} node */
+const getAncestors = node => !node
+  ? []
+  : [...getAncestors(node.parent), node]
+
+/**
+ * @link https://eslint.org/docs/latest/extend/languages#the-sourcecode-object
+ */
+class JavaSourceCode extends TextSourceCodeBase {
+  /** @type {undefined | import('tree-sitter').SyntaxNode[]} */
+  #comments
+  /** @type {undefined | import('tree-sitter').SyntaxNode[]} */
+  #inlineConfigComments
+
+  get comments() {
+    if (!this.#comments) {
+      this.#comments = []
+      traverse(this.ast.rootNode, node => {
+        if (['line_comment', 'block_comment'].includes(node.type)) {
+          this.#comments.push(node)
+        }
+      })
+    }
+    return this.#comments
+  }
+
+  get inlineConfigNodes() {
+    if (!this.#inlineConfigComments) {
+      this.#inlineConfigComments = this
+        .comments
+        .filter(comment =>
+          INLINE_CONFIG.test(comment.text),
+        ) ?? []
+    }
+
+    return this.#inlineConfigComments
+  }
+
+  get lines () { return this.text.split(/\r\n|\r|\n/)  }
+
+  /** @param {import('tree-sitter').SyntaxNode} node */
+  getLoc(node) {
+    return {
+      start: { line: node.startPosition.row, column: node.startPosition.column },
+      end: { line: node.endPosition.row, column: node.endPosition.column }
+    }
+  }
+
+  /** @param {import('tree-sitter').SyntaxNode} node */
+  getRange(node) {
+    return [node.startIndex, node.endIndex]
+  }
+
+  /** @param {import('tree-sitter').SyntaxNode} node */
+  getParent(node) {
+    return node.parent ?? undefined  // .parent is null if root, we need undefined
+  }
+
+  /** @param {import('tree-sitter').SyntaxNode} node */
+  getAncestors(node) {
+    // ESLint wants ancestors excluding the node itself
+    return getAncestors(node.parent)
+  }
+
+  /** @param {import('tree-sitter').SyntaxNode} node */
+  getText(node) {
+    return node.text
+  }
+
+  getDisableDirectives() {
+    /** @type {FileProblem[]} */
+    const problems = []
+    /** @type {Directive[]} */
+    const directives = []
+
+    for (const comment of this.inlineConfigNodes) {
+      const { label, value, justification } = parseDirective(comment)
+
+      // `eslint-disable-line` directives are not allowed to span multiple lines as it would be confusing to which lines they apply
+      if (label === 'eslint-disable-line' && comment.loc.start.line !== comment.loc.end.line) {
+        problems.push({
+          ruleId: null,
+          message: `${label} comment should not span multiple lines.`,
+          loc: comment.loc,
+        })
+      } else if (['eslint-disable', 'eslint-enable', 'eslint-disable-next-line', 'eslint-disable-line'].includes(label)) {
+        directives.push(
+          new Directive({
+            type: /** @type {DirectiveType} */ (label.slice('eslint-'.length)),
+            node: comment,
+            value,
+            justification,
+          }),
+        )
+      }
+    }
+    return { problems, directives }
+  }
+
+  traverse() {
+    const steps = []
+    if (!this.ast || !this.ast.rootNode) {
+      return steps
+    }
+    traverse(this.ast.rootNode, node => {
+      steps.push(new JavaTraversalStep({ target: node, phase: 1 }))
+    }, node => {
+      steps.push(new JavaTraversalStep({ target: node, phase: 2 }))
+    })
+    return steps
+  }
+
+  /** @param {{text: string, ast: import('tree-sitter').Tree}} param0 */
+  constructor({text, ast}) {
+    super({text, ast})
+    this.text = text
+    this.ast = ast
+  }
+}
+
+module.exports = {
+  JavaSourceCode
+}

package/lib/rules/index.js

@@ -17,10 +17,28 @@ const readRulesFromDir = (dir, post) => Object.fromEntries(fs.readdirSync(path.j
   .filter(([,module]) => Object.hasOwn(module, 'create'))  // create() is required to exist on top level by eslint -> good check to find actual rules
   .map(([file, module]) => [file, () => post(module)]))
 
+/**
+ * Calls the initialisation function for each rule in the given rule set.
+ * @param {Record<string, () => unknown>} ruleSet
+ * @returns {Record<string, unknown>}
+ */
+const initialiseRules = ruleSet => Object.fromEntries(
+  Object.entries(ruleSet)
+    .map(([k, v]) => [[k], v()]))
+
 const cdsRules = readRulesFromDir('.', createRule)
 const jsRules = readRulesFromDir('js', module => module)
-const rules = {...cdsRules, ...jsRules}
+// backwards compat, remove in next minor
+jsRules['use-cql-select-template-strings'] = jsRules['cql-template-strings']
+const javaRules = readRulesFromDir('java', module => module)
+const allRules = {...cdsRules, ...jsRules, ...javaRules}
 
-globalCache.set('rules', rules)
+globalCache.set('rules', allRules)
 
-module.exports = rules
+module.exports = {
+  allRules,
+  jsRules,
+  javaRules,
+  cdsRules,
+  initialiseRules
+}

package/lib/rules/java/cql-class-targets.js

@@ -0,0 +1,59 @@
+'use strict'
+
+/**
+ * In Select.from(x), x should be a class literal.
+ */
+
+const { RULE_CATEGORIES } = require('../../constants')
+
+module.exports = {
+  meta: {
+    type: 'problem',
+    docs: {
+      recommended: true,
+      category: RULE_CATEGORIES.java,
+      description: 'java.'
+    },
+    fixable: 'code',
+    schema: [],
+    messages: {
+      selectOnNonClass: `'{{target}}' is not a class. Prefer to pass class literals to Select.from!`,
+    },
+    hasSuggestions: true
+  },
+  create: context => {
+    const knownClasses = new Set()
+
+    /** @param {Node} node */
+    const refersToClass = node =>
+      node.type === 'class_literal'
+      // or part of explicit named imports
+      || knownClasses.has(node.text)
+      // or first letter of last part of text is uppercase: a.b.C -> true
+      // https://unicode.org/reports/tr18/#General_Category_Property
+      || /^\p{Lu}/u.test(node.text.split('.').at(-1))
+
+    return {
+      'import_declaration > scoped_identifier': function(node) {
+        if (!node) return
+        if (node.nameNode) {
+          knownClasses.add(node.nameNode.text)
+        }
+      },
+
+      "method_invocation > identifier[text='from']": function(node) {
+        if (!node?.parent?.argumentsNode) return
+        const args = node.parent.argumentsNode.children
+          .filter(c => c.constructor.name !== 'SyntaxNode')  // filter out commas, parens, etc.
+          ?? []
+        if (!refersToClass(args[0])) {
+          context.report({
+            node: args[0],
+            messageId: 'selectOnNonClass',
+            data: { target: args[0].text }
+          })
+        }
+      },
+    }
+  }
+}

package/lib/rules/js/CdsHandlerRule.js

@@ -1,9 +1,9 @@
 // TODO:
 // - class extends require('@sap/cds').ApplicationService
 // - class extends await import('@sap/cds').ApplicationService
-/** @typedef {import('@sap/eslint-plugin-cds/lib/rules/js/types').CdsContextTracker.Scope} Scope */
-/** @typedef {import('@sap/eslint-plugin-cds/lib/rules/js/types').CdsContextTracker.Variable} Variable */
-/** @typedef {import('@sap/eslint-plugin-cds/lib/rules/js/types').CdsContextTracker.VariableType} VariableType */
+/** @typedef {import('./types').CdsContextTracker.Scope} Scope */
+/** @typedef {import('./types').CdsContextTracker.Variable} Variable */
+/** @typedef {import('./types^').CdsContextTracker.VariableType} VariableType */
 
 'use strict'
 
@@ -42,6 +42,7 @@ class CdsHandlerRule {
   get isInsideCapHandlerRegistration() {  return this.capHandlerRegistrationStack.length > 0 }
 
   constructor (context) {
+    /** @type {import('eslint').Rule.RuleContext} */
     this.context = context
     /** @type {Scope[]} */
     this.functionScopes = [ produceScope('<global>') ]
@@ -89,6 +90,17 @@ class CdsHandlerRule {
     return info?.variable.isCdsVariable
   }
 
+  /**
+   * @param {ReturnType<typeof produceHandlerRegistration>} registration - the handler registration to add
+   */
+  addCapHandlerRegistration (registration) {
+    this.capHandlerRegistrationStack.push(registration)
+  }
+
+  removeCapHandlerRegistration () {
+    this.capHandlerRegistrationStack.pop()
+  }
+
   /**
      * @param {Variable} variable
      */
@@ -96,6 +108,17 @@ class CdsHandlerRule {
     this.functionScopes.at(-1).variables.push(variable)
   }
 
+  /**
+   * @param {Scope} scope - the scope to add
+   */
+  enterFunctionScope (scope) {
+    this.functionScopes.push(scope)
+  }
+
+  leaveFunctionScope () {
+    this.functionScopes.pop()
+  }
+
   /**
      * @abstract
      */
@@ -124,7 +147,7 @@ class CdsHandlerRule {
       // like: this.on('submitOrder', bar)
       if (['before', 'on', 'after'].some(method => method === property.name)) {
         const handler = node.arguments.at(-1)
-        this.capHandlerRegistrationStack.push(produceHandlerRegistration({
+        this.addCapHandlerRegistration(produceHandlerRegistration({
           call: node,
           handler
         }))
@@ -136,23 +159,27 @@ class CdsHandlerRule {
 
   'CallExpression:exit'(node) {
     if (this.capHandlerRegistrationStack.at(-1)?.call === node) {
-      this.capHandlerRegistrationStack.pop()
+      this.removeCapHandlerRegistration()
     }
   }
 
   BlockStatement(node) {
     if(isFunctionBody(node)) {
-      this.functionScopes.push(produceScope(
+      this.enterFunctionScope(produceScope(
         node.parent?.key?.name
                 ?? node.parent?.id?.name
                 ?? node.parent?.parent?.key?.name
+                // const f = function() { ... }
+                ?? (node.parent?.parent?.type === 'VariableDeclarator'
+                  ? node.parent.parent.id.name
+                  : undefined)
                 ?? '<anonymous>'))
     }
   }
 
   'BlockStatement:exit'(node) {
     if(isFunctionBody(node)) {
-      this.functionScopes.pop()
+      this.leaveFunctionScope()
     }
   }
 
@@ -161,10 +188,10 @@ class CdsHandlerRule {
   // determine when we are inside the body ArrowFunctionExpression from looking at the body,
   // as we'd have to add a visitor for every expression type and check if it's a child of an ArrowFunctionExpression.
   'ArrowFunctionExpression > :not(BlockStatement)'() {
-    this.functionScopes.push(produceScope('<anonymous>'))
+    this.enterFunctionScope(produceScope('<anonymous>'))
   }
   'ArrowFunctionExpression > :not(BlockStatement):exit'() {
-    this.functionScopes.pop()
+    this.leaveFunctionScope()
   }
 
   ImportDeclaration(node) {

package/lib/rules/js/case-sensitive-well-known-events.js

@@ -0,0 +1,53 @@
+'use strict'
+
+const { RULE_CATEGORIES } = require('../../constants')
+const { CdsHandlerRule } = require('./CdsHandlerRule')
+
+const WELL_KNOWN_EVENTS = [
+  'CREATE', 'READ', 'UPDATE', 'UPSERT','DELETE',
+  'INSERT','SELECT',
+  'POST','GET','PUT','PATCH',
+  'NEW', 'CANCEL', 'EDIT', 'SAVE'  // draft related
+]
+
+class CaseSensitiveWellKnownEvents extends CdsHandlerRule {
+  CAPHandlerRegistration(node) {
+    const first = node.parent?.arguments?.[0]
+    if (!first) return
+    const currentEventName = first.value ?? ''
+    const currentEventNameUpper = currentEventName.toUpperCase()
+    if (WELL_KNOWN_EVENTS.includes(currentEventNameUpper) && currentEventName !== currentEventNameUpper) {
+      const quoteType = ['"', '\'', '`'].includes(first.raw?.[0]) ? first.raw?.[0] : '"'
+      this.context.report({
+        node: first,
+        messageId: 'incorrectEventNameCase',
+        data: {
+          currentEventName: currentEventName,
+          properEventName: currentEventNameUpper
+        },
+        suggest: [{
+          desc: 'Change event casing to upper case',
+          fix: fixer => fixer.replaceText(first, `${quoteType}${currentEventNameUpper}${quoteType}`)
+        }]
+      })
+    }
+  }
+}
+
+module.exports = {
+  meta: {
+    type: 'problem',
+    docs: {
+      recommended: true,
+      category: RULE_CATEGORIES.javascript,
+      description: 'Make sure well-known events are used with proper casing.'
+    },
+    fixable: 'code',
+    schema: [],
+    messages: {
+      incorrectEventNameCase: 'Found an event registration for event "{{currentEventName}}", which is likely supposed to be "{{properEventName}}".'
+    },
+    hasSuggestions: true
+  },
+  create: context => new CaseSensitiveWellKnownEvents(context).asESLintVisitor()
+}

package/lib/rules/js/cql-template-strings.js

@@ -0,0 +1,64 @@
+'use strict'
+
+const { RULE_CATEGORIES } = require('../../constants')
+const { CdsHandlerRule } = require('./CdsHandlerRule')
+
+const isCqlClauseStart = node => ['SELECT', 'UPDATE', 'INSERT', 'DELETE', 'UPSERT'].includes(node.name)
+
+/**
+ * ESLint goes through member functions in reverse order:
+ *   x.y.z -> z, y, x
+ * so we can not track when we
+ * enter a CQL clause, but instead have to check the chain of ancestors for each member
+ * recursively. If we find the topmost function call is a CQL clause (SELECT, UPDATE, etc.),
+ * none of the member functions in the chain are allowed to use untagged template strings.
+ */
+const isInCqlClause = node => {
+  if (!node) return false
+  if (node.type === 'CallExpression' && isCqlClauseStart(node.callee)) return true
+  if (node.type === 'TaggedTemplateExpression' && isCqlClauseStart(node.tag)) return true
+  // f(...) and f`...` have slightly different structure, the former has .callee, the latter has .tag
+  // -> use the first that is available to ascend through the call chain
+  return isInCqlClause(node.callee?.object ?? node.tag?.object)
+}
+
+class CqlSelectUseTemplateStrings extends CdsHandlerRule {
+  CallExpression(node) {
+    super.CallExpression(node)
+    const [arg] = node.arguments ?? []
+    if (arg?.type !== 'TemplateLiteral') return
+    if (arg.expressions.length === 0) return  // no expressions in the template string, so no SQL injection risk
+    if (!isInCqlClause(node)) return
+
+    const [functionName, prefix] =  node.callee.type === 'MemberExpression'
+      // for ….where`...` we need to use the full preceding expression in the following replacement
+      ? [node.callee.property?.name, this.context.getSourceCode().getText(node.callee)]
+      // for SELECT`...` we can use the function name directly
+      : [node.callee.name, node.callee.name]
+    this.context.report({
+      node,
+      message: 'Do not use {{functionName}}(`...`) inside CQL statements, which is prone to SQL injections.',
+      data: { functionName },
+      suggest: [{
+        desc: 'Use {{functionName}}`...` instead of {{functionName}}(`...`)',
+        data: { functionName },
+        fix: fixer => fixer.replaceText(node, `${prefix}${this.context.getSourceCode().getText(arg)}`)
+      }]
+    })
+  }
+}
+
+module.exports = {
+  meta: {
+    type: 'problem',
+    docs: {
+      recommended: true,
+      category: RULE_CATEGORIES.javascript,
+      description: 'Discourage use of SELECT(...), which allows SQL injections, in favour of SELECT`...`.'
+    },
+    fixable: 'code',
+    schema: [],
+    hasSuggestions: true
+  },
+  create: context => new CqlSelectUseTemplateStrings(context).asESLintVisitor()
+}

package/lib/rules/js/no-cross-service-import.js

@@ -18,7 +18,7 @@ function compareImportAndFilename (importPath, context, node) {
   // ignore excessively long strings
   if (importPath.length > MAX_INPUT_STRING_LENGTH || currentFile.length > MAX_INPUT_STRING_LENGTH) return
   const [, typerModuleFq, typerModule] = /^#cds-models\/.*?((\w+)Service)$/.exec(importPath) ?? []
-  const [, fileNameFq, fileName] = /((\w+)-?[sS]ervice\.m?[jt]s)$/.exec(currentFile)
+  const [, fileNameFq, fileName] = /((\w+)-?[sS]ervice\.m?[jt]s)$/.exec(currentFile) ?? []
   // typerModule === undefined -> not a service import (probably db-level-entity import)
   if (typerModule && fileName && typerModule !== fileName) {
     context.report({

package/lib/rules/js/no-shared-handler-variable.js

@@ -5,14 +5,6 @@ Use cases not yet covered:
 INLINE EXTENSION
 class FooService extends require('@sap/cds').ApplicationService { ... }
 
-//---------
-REFERENCED FUNCTION
-function bad() { ... }
-
-class ... {
-    this.on('', bad)
-}
-
 //---------
 METHOD
 class ... {
@@ -39,18 +31,164 @@ cds.services['myService'].on('READ', 'Books', () => {})
 const { RULE_CATEGORIES } = require('../../constants')
 const { CdsHandlerRule } = require('./CdsHandlerRule')
 
+/**
+ * @param {string | undefined} t
+ */
+function isHandlerType(t) {
+  // match "import('@sap/cds').CRUDEventHandler.Before" etc.
+  return ['Before', 'On', 'After'].some(handlerType => t?.match(new RegExp(`import\\s?\\(.@sap\\/cds.\\)\\.CRUDEventHandler.${handlerType}`)))
+}
+
 class NoSharedVariable extends CdsHandlerRule {
-  AssignmentExpression(node) {
-    if (!this.isInsideCapHandlerRegistration) return
-    const declaringScope = this.findDefinitionScope(node.left.name)
-    if (declaringScope?.isLocal === false) {
-      this.context.report({
-        node,
-        messageId: 'noSharedHandlerVariable',
-        data: {
-          definitionScope: declaringScope.scope.name
-        }
+  /**
+   * Functions that modify variables that are not locally declared.
+   * They are stored by name.
+   * Note: this is not fully fail proof, as the functions are stored in a flat fashion,
+   * rather than maintaining the scope they are declared in.
+   * This could lead to false positives if a function with the same name is declared in multiple scopes.
+   * @type {Record<string, Scope>}
+   */
+  #suspiciousFunctions = {}
+  /**
+   * nodes of handler registrations like:
+   * ```js
+   * this.on('READ', 'Books', handler)
+   * //                       ^^^^^^^
+   * ```
+   * as they reference the handler by name, its definition may come later in the code
+   * due to hoisting.
+   * We check them later in `Program:exit()`.
+   */
+  #pendingInspections = []
+
+  /**
+   * Typedef JSDoc to look up local aliases.
+   * ```js
+   * ＠typedef {Bar} Foo
+   * ```
+   * becomes
+   * ```js
+   * {Foo: 'Bar'}
+   * ```
+   * @type {Record<string, import('estree').Comment & { type: string }>}
+   */
+  #typeDefinitions = {}
+
+  /**
+   * Type JSDoc that matches the estree definition of a Comment,
+   * plus an additional `type` property that contains the type of the variable.
+   * Local type aliases are resolved to the actual type using #typeDefinitions.
+   *
+   * @type {Array<import('estree').Comment & { type: string }>}
+   */
+  #typeDeclarations = []
+
+  #handlerDefinitionDepth = 0
+
+  /**
+   * When we are inside a function that has explicitly been annotated as
+   * a handler function via a @type JSDoc annotation.
+   */
+  get isInsideExplicitCapHandlerDefinition() {
+    return this.#handlerDefinitionDepth > 0
+  }
+
+  addCapHandlerRegistration(registration) {
+    super.addCapHandlerRegistration(registration)
+
+    if (registration.handler.type === 'Identifier') {
+      this.#pendingInspections.push(registration)
+    }
+  }
+
+  Program() {
+    const comments = this.context.sourceCode.getAllComments()
+    this.#typeDefinitions = Object.fromEntries(comments
+      .map(comment => {
+        const [, type, name] = comment.value.match(/^\*\s?@typedef\s?\{(.*)\}\s?(\w*)/) ?? []
+        return type && name ? [ name, {...comment, type} ] : null
+      })
+      .filter(Boolean))
+    this.#typeDeclarations = comments
+      .map(comment => {
+        const match = comment.value.match(/^\*\s?@type\s?\{(.*)\}/)?.[1]
+        if (!match) return null
+        const type = this.#typeDefinitions[match]?.type ?? match
+        return type ? { ...comment, type } : null
       })
+      .filter(Boolean)
+  }
+
+  'Program:exit'() {
+    for (const node of this.#pendingInspections) {
+      const { scope } = this.#suspiciousFunctions[node.handler.name] ?? {}
+      if (scope) {
+        this.context.report({
+          node: node.handler,
+          messageId: 'noSharedHandlerVariable',
+          data: {
+            definitionScope: scope.name
+          }
+        })
+      }
+    }
+  }
+
+  #enterFunctionDefinition(node) {
+    // find a JDoc type comment, that is either on the line before, or in the same line,
+    // but up to three columns to the left. The latter condition covers three cases:
+    // 1. TYPEDEFFUNC -- (no space between the comment and start of function) -> distance = 0
+    // 2. TYPEDEF FUNC-- (one space between the comment and start of function) -> distance = 1
+    // 3. TYPEDEF(FUNC) -- (no space after typedef, followed by an opening parenthesis) -> distance = 1
+    // 3. TYPEDEF (FUNC) -- (one space after typedef and an opening parenthesis) -> distance = 2
+    // Note: this will fail if we have empty lines between the function declaration and the JSDoc.
+    // Also when users have more spaces or other outlandish formatting styles.
+    const type = this.#typeDeclarations.find(({loc}) =>
+      loc.end.line === node.loc.start.line - 1
+      || loc.end.line === node.loc.start.line && [0,1,2].includes(node.loc.start.column - loc.end.column)
+    )
+    // if the function is explicitly declared as handler, we check it.
+    // If the function is not explicitly declared as handler, but a surrounding function is (this.handlerDefinitionDepth > 0),
+    // we check it too.
+    if (isHandlerType(type?.type) || this.isInsideExplicitCapHandlerDefinition) this.#handlerDefinitionDepth++
+  }
+
+  #exitFunctionDefinition() {
+    this.#handlerDefinitionDepth = Math.max(0, this.#handlerDefinitionDepth - 1)
+  }
+
+  // () => ...
+  ArrowFunctionExpression(node) { this.#enterFunctionDefinition(node) }
+  'ArrowFunctionExpression:exit'() { this.#exitFunctionDefinition() }
+  // function() { ... }
+  FunctionExpression(node) { this.#enterFunctionDefinition(node) }
+  'FunctionExpression:exit'() { this.#exitFunctionDefinition() }
+  // function f () { ... }
+  FunctionDeclaration(node) { this.#enterFunctionDefinition(node) }
+  'FunctionDeclaration:exit'() { this.#exitFunctionDefinition()}
+
+  AssignmentExpression(node) {
+    if (this.isInsideCapHandlerRegistration || this.isInsideExplicitCapHandlerDefinition) {
+      // like: this.on('READ', 'Books', () => { variable = 42 })
+      const declaringScope = this.findDefinitionScope(node.left.name)
+      if (declaringScope?.isLocal === false) {
+        this.context.report({
+          node,
+          messageId: 'noSharedHandlerVariable',
+          data: {
+            definitionScope: declaringScope.scope.name
+          }
+        })
+      }
+    } else if (this.functionScopes.length > 0) {
+      // not inside a handler registration, but in a function that may be referenced in a handler registration
+      // like: this.on('READ', 'Books', handler)
+      // as functions are hoisted and can be referenced before their definition, we just collect the names of suspicious functions
+      // and check them in Program:exit when we have inspected all functions.
+      const declaringScope = this.findDefinitionScope(node.left.name)
+      if (declaringScope?.isLocal === false) {
+        this.#suspiciousFunctions[this.functionScopes.at(-1).name] = declaringScope
+      }
     }
   }
 }

package/lib/utils/runRuleTester.js

@@ -9,7 +9,7 @@ const { RuleTester } = require('eslint')
 const { globalCache } = require('./Cache')
 const isConfiguredFileType = require('./isConfiguredFileType')
 const { compileModelFromDict } = require('../parser')
-const rules = require('../rules')
+const { allRules: rules } = require('../rules')
 
 /**
  * A wrapper around the return value of `createRule()` that initializes the global

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sap/eslint-plugin-cds",
-  "version": "4.0.2",
+  "version": "4.1.1",
   "description": "ESLint plugin including recommended SAP Cloud Application Programming model and environment rules",
   "homepage": "https://cap.cloud.sap/",
   "keywords": [
@@ -20,7 +20,10 @@
     "README.md"
   ],
   "dependencies": {
-    "semver": "^7.7.1"
+    "@eslint/plugin-kit": "^0.4.1",
+    "semver": "^7.7.1",
+    "tree-sitter": "^0.21.1",
+    "tree-sitter-java": "^0.23.5"
   },
   "peerDependencies": {
     "@sap/cds": ">=9",

package/lib/rules/js/use-cql-select-template-strings.js

@@ -1,35 +0,0 @@
-'use strict'
-
-const { RULE_CATEGORIES } = require('../../constants')
-const { CdsHandlerRule } = require('./CdsHandlerRule')
-
-class CqlSelectUseTemplateStrings extends CdsHandlerRule {
-  CallExpression(node) {
-    super.CallExpression(node)
-    if (node.callee?.name === 'SELECT' && node.arguments[0].type === 'TemplateLiteral') {
-      this.context.report({
-        node,
-        message: 'Do not use SELECT(`...`), which is prone to SQL injections.',
-        suggest: [{
-          desc: 'Use SELECT`...` instead',
-          fix: fixer => fixer.replaceText(node, `SELECT${this.context.getSourceCode().getText(node.arguments[0])}`)
-        }]
-      })
-    }
-  }
-}
-
-module.exports = {
-  meta: {
-    type: 'problem',
-    docs: {
-      recommended: true,
-      category: RULE_CATEGORIES.javascript,
-      description: 'Discourage use of SELECT(...), which allows SQL injections, in favour of SELECT`...`.'
-    },
-    fixable: 'code',
-    schema: [],
-    hasSuggestions: true
-  },
-  create: context => new CqlSelectUseTemplateStrings(context).asESLintVisitor()
-}