Fix a regression in applicationserviceinstance

jeongsoolee09 · jeongsoolee09 · commit fd0d13aba60f · 2025-06-24T16:35:13.000-04:00
diff --git a/javascript/frameworks/cap/lib/advanced_security/javascript/frameworks/cap/CDS.qll b/javascript/frameworks/cap/lib/advanced_security/javascript/frameworks/cap/CDS.qll
@@ -7,13 +7,26 @@ import advanced_security.javascript.frameworks.cap.CQL
 import advanced_security.javascript.frameworks.cap.RemoteFlowSources
 
 /**
- * The CDS facade that provides useful interfaces to the current CAP application.
+ * The CDS facade object that provides useful interfaces to the current CAP application.
+ * It also acts as a shortcut to `cds.db` when imported via `"@sap/cds"`.
+ *
  * ```js
  * const cds = require('@sap/cds')
  * ```
  */
+/* TODO: Does the `cds` object imported with `"@sap/cds/lib"` also have shortcut to `cds.db`?  */
 class CdsFacade extends API::Node {
-  CdsFacade() { this = API::moduleImport(["@sap/cds", "@sap/cds/lib"]) }
+  string importPath;
+
+  CdsFacade() {
+    importPath = ["@sap/cds", "@sap/cds/lib"] and
+    this = API::moduleImport(importPath)
+  }
+
+  /**
+   * Holds if this CDS facade object is imported via path `"@sap/cds/lib"`.
+   */
+  predicate isFromCdsLib() { importPath = "@sap/cds/lib" }
 
   Node getNode() { result = this.asSource() }
 }
@@ -36,7 +49,7 @@ class CdsEntitiesCall extends DataFlow::CallNode {
  * The property `db` of on a CDS facade, often accessed as `cds.db`.
  */
 class CdsDb extends SourceNode {
-  CdsDb() { exists(CdsFacade cds | this = cds.getMember("db").asSource()) }
+  CdsDb() { exists(CdsFacade cds | not cds.isFromCdsLib() | this = cds.getMember("db").asSource()) }
 
   MethodCallNode getRunCall() { result = this.getAMemberCall("run") }
 
@@ -268,7 +281,7 @@ abstract class CdsDbService extends ServiceInstance {
 
 class GloballyAccessedCdsDbService extends CdsDbService {
   GloballyAccessedCdsDbService() {
-    exists(CdsFacade cds |
+    exists(CdsFacade cds | not cds.isFromCdsLib() |
       this = cds.getMember("db").asSource() or
       this = cds.asSource()
     )
diff --git a/javascript/frameworks/cap/src/sensitive-exposure/SensitiveExposure.ql b/javascript/frameworks/cap/src/sensitive-exposure/SensitiveExposure.ql
@@ -21,7 +21,7 @@ import DataFlow::PathGraph
  * via `cds.entities`
  * ```javascript
  * // Obtained through `cds.entities`
- * const { Service1 } = cds.entities("sample.application.namespace");
+ * const Service1 = cds.entities("sample.application.namespace");
  * ```
  */
 class EntityEntry extends DataFlow::CallNode {
diff --git a/javascript/frameworks/cap/test/models/cds/applicationserviceinstance/applicationserviceinstance.expected b/javascript/frameworks/cap/test/models/cds/applicationserviceinstance/applicationserviceinstance.expected
@@ -1,3 +1,4 @@
+| applicationserviceinstance.js:1:13:1:31 | require("@sap/cds") |
 | applicationserviceinstance.js:2:11:2:60 | new cds ... ptions) |
 | applicationserviceinstance.js:3:12:3:67 | await n ... ptions) |
 | applicationserviceinstance.js:3:18:3:67 | new cds ... ptions) |

Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,4 @@`
	`1`	`+\| applicationserviceinstance.js:1:13:1:31 \| require("@sap/cds") \|`
`1`	`2`	`\| applicationserviceinstance.js:2:11:2:60 \| new cds ... ptions) \|`
`2`	`3`	`\| applicationserviceinstance.js:3:12:3:67 \| await n ... ptions) \|`
`3`	`4`	`\| applicationserviceinstance.js:3:18:3:67 \| new cds ... ptions) \|`