eslint-plugin-sonarjs 3.0.7 → 4.0.0

package/cjs/S125/rule.js

@@ -54,7 +54,6 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.rule = void 0;
-const eslint_1 = require("eslint");
 const index_js_1 = require("../helpers/index.js");
 const meta = __importStar(require("./generated-meta.js"));
 const index_js_2 = require("../helpers/recognizers/index.js");
@@ -135,7 +134,7 @@ exports.rule = {
         };
     },
 };
-function isExpressionExclusion(statement, value, program) {
+function isExpressionExclusion(statement, value, program, context) {
     if (statement.type === 'ExpressionStatement') {
         const expression = statement.expression;
         if (expression.type === 'Identifier' ||
@@ -144,18 +143,20 @@ function isExpressionExclusion(statement, value, program) {
             isExcludedLiteral(expression)) {
             return true;
         }
-        // Only construct SourceCode when we need getLastToken
-        const code = new eslint_1.SourceCode(value, program);
+        // Only construct SourceCode when we need getLastToken.
+        // Access the constructor from context to avoid a static runtime import of 'eslint'.
+        const SourceCodeClass = context.sourceCode.constructor;
+        const code = new SourceCodeClass(value, program);
         return !code.getLastToken(statement, token => token.value === ';');
     }
     return false;
 }
-function isExclusion(parsedBody, value, program) {
+function isExclusion(parsedBody, value, program, context) {
     if (parsedBody.length === 1) {
         const singleStatement = parsedBody[0];
         return (EXCLUDED_STATEMENTS.has(singleStatement.type) ||
             isReturnThrowExclusion(singleStatement) ||
-            isExpressionExclusion(singleStatement, value, program));
+            isExpressionExclusion(singleStatement, value, program, context));
     }
     return false;
 }
@@ -174,7 +175,7 @@ function containsCode(value, context) {
         const parser = context.languageOptions?.parserOptions?.parser ?? context.languageOptions?.parser;
         const result = 'parse' in parser ? parser.parse(value, options) : parser.parseForESLint(value, options).ast;
         const program = result;
-        return program.body.length > 0 && !isExclusion(program.body, value, program);
+        return program.body.length > 0 && !isExclusion(program.body, value, program, context);
     }
     catch {
         return false;

package/cjs/S7790/rule.js

@@ -70,7 +70,10 @@ exports.rule = {
             CallExpression: (node) => {
                 const callExpression = node;
                 const fqn = (0, index_js_1.getFullyQualifiedName)(context, callExpression);
-                if (fqn && templatingFqns.has(fqn) && isQuestionable(callExpression)) {
+                if (fqn &&
+                    templatingFqns.has(fqn) &&
+                    !isCallingFunctionResult(context, callExpression) &&
+                    isQuestionable(callExpression)) {
                     context.report({
                         messageId: 'reviewDynamicTemplate',
                         node: callExpression.callee,
@@ -80,6 +83,23 @@ exports.rule = {
         };
     },
 };
+/**
+ * Returns true when the callee is a variable holding the result of a prior call,
+ * e.g. `const fn = pug.compile(tpl); fn(data);` — fn(data) is not a direct
+ * templating call, so we should not flag it again.
+ */
+function isCallingFunctionResult(context, callExpression) {
+    const callee = callExpression.callee;
+    if (callee.type !== 'Identifier') {
+        return false;
+    }
+    const variable = (0, index_js_1.getVariableFromScope)(context.sourceCode.getScope(callee), callee.name);
+    if (!variable || variable.defs.some(def => def.type === 'ImportBinding')) {
+        return false;
+    }
+    const writeRef = (0, index_js_1.getUniqueWriteReference)(variable);
+    return writeRef?.type === 'CallExpression';
+}
 function isQuestionable(node, index = 0) {
     const args = node.arguments;
     const templateString = args[index];

package/cjs/{S3854 → S8441}/generated-meta.js

@@ -15,7 +15,7 @@
  * You should have received a copy of the Sonar Source-Available License
  * along with this program; if not, see https://sonarsource.com/license/ssal/
  */
-// https://sonarsource.github.io/rspec/#/rspec/S3854/javascript
+// https://sonarsource.github.io/rspec/#/rspec/S8441/javascript
 var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
     if (k2 === undefined) k2 = k;
     var desc = Object.getOwnPropertyDescriptor(m, k);
@@ -36,16 +36,16 @@ __exportStar(require("./meta.js"), exports);
 exports.meta = {
     type: 'problem',
     docs: {
-        description: '"super()" should be invoked appropriately',
+        description: 'Static Assets should not serve session cookies',
         recommended: true,
-        url: 'https://sonarsource.github.io/rspec/#/rspec/S3854/javascript',
+        url: 'https://sonarsource.github.io/rspec/#/rspec/S8441/javascript',
         requiresTypeChecking: false,
     },
     fixable: undefined,
     deprecated: false,
     defaultOptions: [],
 };
-exports.sonarKey = 'S3854';
-exports.scope = 'Main';
+exports.sonarKey = 'S8441';
+exports.scope = 'All';
 exports.languages = ['js', 'ts'];
 exports.requiredDependency = [];

package/cjs/{S3854 → S8441}/meta.js

@@ -1,6 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.eslintId = exports.implementation = void 0;
+exports.hasSecondaries = exports.eslintId = exports.implementation = void 0;
 /*
  * SonarQube JavaScript Plugin
  * Copyright (C) 2011-2025 SonarSource Sàrl
@@ -17,5 +17,7 @@ exports.eslintId = exports.implementation = void 0;
  * You should have received a copy of the Sonar Source-Available License
  * along with this program; if not, see https://sonarsource.com/license/ssal/
  */
+// https://sonarsource.github.io/rspec/#/rspec/S8441/javascript
 exports.implementation = 'original';
-exports.eslintId = 'super-invocation';
+exports.eslintId = 'no-session-cookies-on-static-assets';
+exports.hasSecondaries = true;

package/cjs/S8441/rule.js

@@ -0,0 +1,132 @@
+"use strict";
+/*
+ * SonarQube JavaScript Plugin
+ * Copyright (C) 2011-2025 SonarSource Sàrl
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the Sonar Source-Available License Version 1, as published by SonarSource SA.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+ * See the Sonar Source-Available License for more details.
+ *
+ * You should have received a copy of the Sonar Source-Available License
+ * along with this program; if not, see https://sonarsource.com/license/ssal/
+ */
+// https://sonarsource.github.io/rspec/#/rspec/S8441/javascript
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.rule = void 0;
+const index_js_1 = require("../helpers/index.js");
+// If a rule has a schema, use this to extract it.
+// import { FromSchema } from 'json-schema-to-ts';
+const meta = __importStar(require("./generated-meta.js"));
+const messages = {
+    sessionSecondaryLocation: 'Session middleware declared here.',
+    moveStaticBeforeSession: 'Move this static middleware before the session middleware.',
+};
+// Extend this list to support additional session-cookie middlewares.
+const SESSION_MIDDLEWARES = ['express-session', 'cookie-session'];
+const STATIC_MIDDLEWARES = ['express.static'];
+exports.rule = {
+    meta: (0, index_js_1.generateMeta)(meta, { messages }),
+    create(context) {
+        let app = null;
+        let lastSessionMiddleware = null;
+        const scopeStack = [];
+        function isMiddleware(context, node, names) {
+            if (node.type !== 'CallExpression') {
+                return false;
+            }
+            const fqn = (0, index_js_1.getFullyQualifiedName)(context, node);
+            return fqn !== null && names.includes(fqn);
+        }
+        return {
+            Program() {
+                app = null;
+                lastSessionMiddleware = null;
+                scopeStack.length = 0;
+            },
+            ':function'(node) {
+                scopeStack.push({ app, lastSessionMiddleware });
+                const injectedApp = index_js_1.Express.attemptFindAppInjection(node, context, node);
+                if (injectedApp) {
+                    app = injectedApp;
+                    lastSessionMiddleware = null;
+                }
+            },
+            ':function:exit'() {
+                const previous = scopeStack.pop();
+                if (previous) {
+                    app = previous.app;
+                    lastSessionMiddleware = previous.lastSessionMiddleware;
+                }
+            },
+            VariableDeclarator(node) {
+                const varDecl = node;
+                const instantiatedApp = index_js_1.Express.attemptFindAppInstantiation(varDecl, context);
+                if (instantiatedApp) {
+                    app = instantiatedApp;
+                    lastSessionMiddleware = null;
+                }
+            },
+            CallExpression(node) {
+                if (!app) {
+                    return;
+                }
+                const callExpr = node;
+                if (!(0, index_js_1.isMethodInvocation)(callExpr, app.name, 'use', 1)) {
+                    return;
+                }
+                const flattenedArgs = (0, index_js_1.flattenArgs)(context, callExpr.arguments);
+                for (const middlewareNode of flattenedArgs) {
+                    if (isMiddleware(context, middlewareNode, SESSION_MIDDLEWARES)) {
+                        lastSessionMiddleware = callExpr;
+                        continue;
+                    }
+                    if (lastSessionMiddleware && isMiddleware(context, middlewareNode, STATIC_MIDDLEWARES)) {
+                        (0, index_js_1.report)(context, {
+                            node: callExpr,
+                            messageId: 'moveStaticBeforeSession',
+                            message: messages.moveStaticBeforeSession,
+                        }, [(0, index_js_1.toSecondaryLocation)(lastSessionMiddleware, messages.sessionSecondaryLocation)]);
+                    }
+                }
+            },
+        };
+    },
+};

package/cjs/helpers/ancestor.js

@@ -7,6 +7,7 @@ exports.ancestorsChain = ancestorsChain;
 exports.getParent = getParent;
 exports.getNodeParent = getNodeParent;
 exports.childrenOf = childrenOf;
+exports.isTsAncestor = isTsAncestor;
 const ast_js_1 = require("./ast.js");
 function findFirstMatchingLocalAncestor(node, predicate) {
     return localAncestorsChain(node).find(predicate);
@@ -76,3 +77,13 @@ function childrenOf(node, visitorKeys) {
     }
     return children.filter(Boolean);
 }
+function isTsAncestor(candidate, node) {
+    let current = node.parent;
+    while (current) {
+        if (current === candidate) {
+            return true;
+        }
+        current = current.parent;
+    }
+    return false;
+}

package/cjs/helpers/module-ts.js

@@ -21,6 +21,7 @@ exports.getFullyQualifiedNameTS = getFullyQualifiedNameTS;
  * along with this program; if not, see https://sonarsource.com/license/ssal/
  */
 const typescript_1 = __importDefault(require("typescript"));
+const ancestor_js_1 = require("./ancestor.js");
 const module_js_1 = require("./module.js");
 function getFullyQualifiedNameTS(services, rootNode) {
     const result = [];
@@ -108,8 +109,12 @@ function getFullyQualifiedNameTS(services, rootNode) {
             case typescript_1.default.SyntaxKind.Identifier: {
                 const identifierSymbol = services.program.getTypeChecker().getSymbolAtLocation(node);
                 const declaration = identifierSymbol?.declarations?.at(0);
-                // Handle: no symbol info, compiler module, or self-referential declaration (e.g., `module` in CommonJS)
-                if (isCompilerModule(identifierSymbol) || !declaration || declaration === node) {
+                // Handle: no symbol info, compiler module, self-referential declaration (e.g., `module` in CommonJS),
+                // or declaration that contains the root node (e.g., `const geo = geo(request)` where import is shadowed)
+                if (isCompilerModule(identifierSymbol) ||
+                    !declaration ||
+                    declaration === node ||
+                    (0, ancestor_js_1.isTsAncestor)(declaration, rootNode)) {
                     result.push(node.text);
                     return returnResult();
                 }