JS-1584 Fix S905 false positive for comma operators sequencing side effects (#6855)

Co-authored-by: Vibe Bot <vibe-bot@sonarsource.com>

Author: sonar-nigel[bot]

its/ruling/src/test/expected/Ghost/javascript-S905.json

@@ -1,7 +1,4 @@
 {
-"Ghost:core/client/tests/integration/components/gh-profile-image-test.js": [
-46
-],
 "Ghost:core/test/functional/routes/api/posts_spec.js": [
 818
 ],

its/ruling/src/test/expected/ace/javascript-S905.json

@@ -7,9 +7,6 @@
 6606,
 6611
 ],
-"ace:lib/ace/mode/javascript/jshint.js": [
-2387
-],
 "ace:lib/ace/worker/worker_client_v2.js": [
 55
 ],

packages/analysis/src/jsts/rules/README.md

@@ -158,7 +158,7 @@ If you have any questions, encounter any bugs, or have feature requests, please
 | [confidential-information-logging](https://sonarsource.github.io/rspec/#/rspec/S5757/javascript)     | Allowing confidential information to be logged is security-sensitive                                                           | ✅  |     |     |     |     |
 | [constructor-for-side-effects](https://sonarsource.github.io/rspec/#/rspec/S1848/javascript)         | Objects should not be created to be dropped immediately without being used                                                     | ✅  |     |     |     |     |
 | [content-length](https://sonarsource.github.io/rspec/#/rspec/S5693/javascript)                       | HTTP request content length should be limited                                                                                  | ✅  |     |     |     |     |
-| [content-security-policy](https://sonarsource.github.io/rspec/#/rspec/S5728/javascript)              | Disabling content security policy fetch directives is security-sensitive                                                       | ✅  |     |     |     |     |
+| [content-security-policy](https://sonarsource.github.io/rspec/#/rspec/S5728/javascript)              | Content security policy fetch directives should not be disabled                                                                | ✅  |     |     |     |     |
 | [cookie-no-httponly](https://sonarsource.github.io/rspec/#/rspec/S3330/javascript)                   | Creating cookies without the "HttpOnly" flag is security-sensitive                                                             | ✅  |     |     |     |     |
 | [cookies](https://sonarsource.github.io/rspec/#/rspec/S2255/javascript)                              | Writing cookies is security-sensitive                                                                                          |     |     |     |     | ❌  |
 | [cors](https://sonarsource.github.io/rspec/#/rspec/S5122/javascript)                                 | Cross-Origin Resource Sharing (CORS) policy should be restricted to trusted origins                                            | ✅  |     |     |     |     |
@@ -169,7 +169,7 @@ If you have any questions, encounter any bugs, or have feature requests, please
 | [destructuring-assignment-syntax](https://sonarsource.github.io/rspec/#/rspec/S3514/javascript)      | Destructuring syntax should be used for assignments                                                                            |     |     |     |     |     |
 | [different-types-comparison](https://sonarsource.github.io/rspec/#/rspec/S3403/javascript)           | Strict equality operators should not be used with dissimilar types                                                             | ✅  |     | 💡  | 💭  |     |
 | [disabled-auto-escaping](https://sonarsource.github.io/rspec/#/rspec/S5247/javascript)               | Disabling auto-escaping in template engines is security-sensitive                                                              | ✅  |     |     | 💭  |     |
-| [disabled-resource-integrity](https://sonarsource.github.io/rspec/#/rspec/S5725/javascript)          | Using remote artifacts without integrity checks is security-sensitive                                                          | ✅  |     |     | 💭  |     |
+| [disabled-resource-integrity](https://sonarsource.github.io/rspec/#/rspec/S5725/javascript)          | Remote artifacts should not be used without integrity checks                                                                   | ✅  |     |     | 💭  |     |
 | [disabled-timeout](https://sonarsource.github.io/rspec/#/rspec/S6080/javascript)                     | Disabling Mocha timeouts should be explicit                                                                                    | ✅  |     |     |     |     |
 | [dns-prefetching](https://sonarsource.github.io/rspec/#/rspec/S5743/javascript)                      | Allowing browsers to perform DNS prefetching is security-sensitive                                                             |     |     |     |     | ❌  |
 | [dompurify-unsafe-config](https://sonarsource.github.io/rspec/#/rspec/S8479/javascript)              | DOMPurify configuration should not be bypassable                                                                               | ✅  |     |     |     |     |

packages/analysis/src/jsts/rules/S905/decorator.ts

@@ -19,7 +19,6 @@ import type estree from 'estree';
 import type { TSESTree } from '@typescript-eslint/utils';
 import { generateMeta } from '../helpers/generate-meta.js';
 import { interceptReport } from '../helpers/decorators/interceptor.js';
-import { last } from '../helpers/collection.js';
 import * as meta from './generated-meta.js';
 
 export function decorate(rule: Rule.RuleModule): Rule.RuleModule {
@@ -34,7 +33,7 @@ export function decorate(rule: Rule.RuleModule): Rule.RuleModule {
         containsChaiExpect(expr) ||
         containsValidChaiShould(expr) ||
         isAuraLightningComponent(expr) ||
-        isSequenceWithSideEffects(expr),
+        hasOnlySideEffects(expr),
     ),
   );
 }
@@ -91,10 +90,22 @@ function isIife(node: estree.Node): boolean {
   );
 }
 
-function isSequenceWithSideEffects(node: estree.Node): boolean {
-  return (
-    node.type === 'SequenceExpression' && last(node.expressions).type === 'AssignmentExpression'
-  );
+function hasOnlySideEffects(node: estree.Node): boolean {
+  switch (node.type) {
+    case 'AssignmentExpression':
+    case 'CallExpression':
+    case 'NewExpression':
+    case 'UpdateExpression':
+      return true;
+    case 'SequenceExpression':
+      return node.expressions.every(hasOnlySideEffects);
+    case 'ConditionalExpression':
+      return hasOnlySideEffects(node.consequent) && hasOnlySideEffects(node.alternate);
+    case 'LogicalExpression':
+      return hasOnlySideEffects(node.right);
+    default:
+      return false;
+  }
 }
 
 function isAuraLightningComponent(node: estree.Node): boolean {

packages/analysis/src/jsts/rules/S905/unit.test.ts

@@ -15,11 +15,29 @@
  * along with this program; if not, see https://sonarsource.com/license/ssal/
  */
 import { rule } from './index.js';
+import { rules as tsEslintRules } from '../external/typescript-eslint/index.js';
 import { NoTypeCheckingRuleTester } from '../../../../tests/jsts/tools/testers/rule-tester.js';
 import { describe, it } from 'node:test';
 
 const ruleTester = new NoTypeCheckingRuleTester();
 
+// Sentinel: verify that the upstream ESLint rule still raises on the patterns our decorator fixes.
+// If this test starts failing (i.e., the upstream rule no longer reports these patterns),
+// it signals that the decorator can be safely removed.
+describe('S905 upstream sentinel', () => {
+  it('upstream no-unused-expressions raises on comma operator sequences with side effects that decorator suppresses', () => {
+    const upstreamRule = tsEslintRules['no-unused-expressions'];
+    ruleTester.run('no-unused-expressions', upstreamRule, {
+      valid: [],
+      invalid: [
+        { code: `a(), b();`, errors: 1 }, // sequence of calls — suppressed by decorator, raised by upstream
+        { code: `++i, ++j;`, errors: 1 }, // sequence of updates — suppressed by decorator, raised by upstream
+        { code: `x = 1, f();`, errors: 1 }, // assignment then call — suppressed by decorator, raised by upstream
+      ],
+    });
+  });
+});
+
 describe('S905', () => {
   it('S905', () => {
     ruleTester.run('Disallow unused expressions', rule, {
@@ -87,6 +105,54 @@ describe('S905', () => {
         });
       `,
         },
+        // comma operator sequencing multiple function calls — all operands are calls with side effects
+        {
+          code: `
+        for (let i = 0; i < items.length; i++) {
+          output.push(items[i]), log.push(i);
+        }
+      `,
+        },
+        // comma operator sequencing increments — all operands are updates with side effects
+        {
+          code: `
+        while (index < items.length) {
+          ++index, ++total;
+        }
+      `,
+        },
+        // assignment then call — both operands have side effects
+        {
+          code: `
+        while (lexer.pos < lexer.source.length) {
+          escaped = true, advance();
+        }
+      `,
+        },
+        // call then multiple increments — all operands have side effects
+        {
+          code: `
+        while (i < j) {
+          swap(array, i, j), ++i, --j;
+        }
+      `,
+        },
+        // ternary where alternate branch is a comma-operator sequence of assignments
+        {
+          code: `condition ? (state.x = 0) : (state.y = 1, state.z = 2);`,
+        },
+        // logical expression where right side is a comma-operator sequence of calls
+        {
+          code: `condition && (f(), g());`,
+        },
+        // nested ternary (UMD-style) where all branches are assignments or calls
+        {
+          code: `cond1 ? module.exports = factory() : cond2 ? define(factory) : (g = this, g.lib = factory());`,
+        },
+        // sequence of test-framework calls separated by commas
+        {
+          code: `it('first test', function() { assert(true); }), it('second test', function() { assert(true); });`,
+        },
       ],
       invalid: [
         {
@@ -152,6 +218,11 @@ describe('S905', () => {
             },
           ],
         },
+        // sequence where one element has no side effect — still flagged
+        {
+          code: `a + b, c();`,
+          errors: 1,
+        },
       ],
     });
   });