JS-1177 Fix FP on S7739 where validation library 'then' config property was flagged incorrectly (#6361)

sonar-nigel[bot] · Vibe Bot · claude · web-flow · commit e5c49e7cdf81 · 2026-02-18T15:38:02.000+01:00
Co-authored-by: Vibe Bot &lt;vibe-bot@sonarsource.com&gt;
Co-authored-by: Claude Sonnet 4.5 &lt;noreply@anthropic.com&gt;
Co-authored-by: Francois Mora &lt;francois.mora@sonarsource.com&gt;
diff --git a/packages/jsts/src/rules/S7739/joi-project/unit.test.ts b/packages/jsts/src/rules/S7739/joi-project/unit.test.ts
@@ -33,6 +33,42 @@ describe('S7739', () => {
         `,
         filename: join(dirname, 'filename.ts'),
       },
+      {
+        // Chained joi calls - string().when() with {is, then} config
+        code: `
+          import Joi from 'joi';
+          const schema = Joi.string().when('type', {
+            is: 'email',
+            then: Joi.string().email().required(),
+          });
+        `,
+        filename: join(dirname, 'filename.ts'),
+      },
+      {
+        // Joi alternatives().conditional() with switch cases containing {is, then}
+        code: `
+          import Joi from 'joi';
+          const schema = Joi.alternatives().conditional('action', {
+            switch: [
+              { is: 'info', then: Joi.string() },
+              { is: 'create', then: Joi.object().required() },
+            ],
+            otherwise: Joi.forbidden(),
+          });
+        `,
+        filename: join(dirname, 'filename.ts'),
+      },
+      {
+        // Joi with CommonJS require
+        code: `
+          const Joi = require('joi');
+          const schema = Joi.string().when('field', {
+            is: 'value',
+            then: Joi.string().required(),
+          });
+        `,
+        filename: join(dirname, 'filename.js'),
+      },
     ],
     invalid: [
       {
diff --git a/packages/jsts/src/rules/S7739/no-validation-lib/unit.test.ts b/packages/jsts/src/rules/S7739/no-validation-lib/unit.test.ts
@@ -128,6 +128,19 @@ describe('S7739', () => {
         `,
           filename: testFilePath,
         },
+        // False Positive Pattern 5d: Assignment expression to Promise
+        {
+          code: `
+          let Promise;
+          Promise = function(executor) {
+            this.state = 'pending';
+            this.then = function(onFulfilled) {
+              this.onFulfilled = onFulfilled;
+            };
+          };
+        `,
+          filename: testFilePath,
+        },
         // False Positive Pattern 5c: Arrow function assigned to Deferred
         {
           code: `
@@ -238,6 +251,73 @@ describe('S7739', () => {
           filename: testFilePath,
           errors: [{ messageId: NO_THENABLE_OBJECT_ERROR }],
         },
+        // True Positive: Property with computed key - 'then' is still flagged
+        {
+          code: `
+          const obj = {
+            [1 + 1]: 'computed',
+            then: function() { return this; },
+          };
+        `,
+          filename: testFilePath,
+          errors: [{ messageId: NO_THENABLE_OBJECT_ERROR }],
+        },
+        // True Positive: Arrow function assignment NOT delegating to .then()
+        {
+          code: `
+          const result = {};
+          result.then = (args) => someOtherCall(args);
+        `,
+          filename: testFilePath,
+          errors: [{ messageId: NO_THENABLE_OBJECT_ERROR }],
+        },
+        // {is, then} pattern should be flagged without validation library dependency
+        {
+          code: `
+          const internals = {
+            when(field, options) { return options; },
+          };
+          const schema = internals.when('leftOperand', {
+            is: 'someValue',
+            then: { type: 'string' },
+            otherwise: { type: 'number' },
+          });
+        `,
+          filename: testFilePath,
+          errors: [{ messageId: NO_THENABLE_OBJECT_ERROR }],
+        },
+        {
+          code: `
+          const switchCases = [
+            {
+              is: 'info',
+              then: { type: 'allow' },
+            },
+            {
+              is: 'create',
+              then: { type: 'object', required: true },
+            },
+          ];
+        `,
+          filename: testFilePath,
+          errors: 2,
+        },
+        {
+          code: `
+          function createValidator() {
+            return {
+              when(field, options) { return this; },
+              required() { return this; },
+            };
+          }
+          const nameSchema = createValidator().when('hasName', {
+            is: true,
+            then: (schema) => schema,
+          });
+        `,
+          filename: testFilePath,
+          errors: [{ messageId: NO_THENABLE_OBJECT_ERROR }],
+        },
       ],
     });
   });
diff --git a/packages/jsts/src/rules/S7739/rule.ts b/packages/jsts/src/rules/S7739/rule.ts
@@ -25,6 +25,7 @@ import {
   interceptReport,
   isIdentifier,
 } from '../helpers/index.js';
+import { getDependenciesSanitizePaths } from '../helpers/package-jsons/dependencies.js';
 import * as meta from './generated-meta.js';
 
 const noThenable = rules['no-thenable'];
@@ -37,9 +38,17 @@ const noThenable = rules['no-thenable'];
 const EXCEPTION_LIBRARIES = ['yup', 'joi'];
 
 /**
- * Checks if a node is inside a call expression from one of the exception libraries
+ * Checks if a node is inside a call expression from one of the exception libraries.
+ * Uses two detection strategies:
+ * 1. FQN check on ancestor CallExpressions (handles direct calls like yup.object({then: ...}))
+ * 2. Conditional validation config pattern ({is, then}) when a validation library is a dependency
  */
 function isInsideExceptionLibraryCall(context: Rule.RuleContext, node: Node): boolean {
+  const dependencies = getDependenciesSanitizePaths(context);
+  if (!EXCEPTION_LIBRARIES.some(lib => dependencies.has(lib))) {
+    return false;
+  }
+
   const ancestors = context.sourceCode.getAncestors(node);
 
   for (const ancestor of ancestors) {
@@ -51,7 +60,7 @@ function isInsideExceptionLibraryCall(context: Rule.RuleContext, node: Node): bo
     }
   }
 
-  return false;
+  return isConditionalValidationConfig(node);
 }
 
 /**
@@ -304,6 +313,22 @@ function hasSiblingThenableMethods(node: Node): boolean {
   return hasCompleteThenable(propertyNames);
 }
 
+/**
+ * Checks if 'then' is inside an object that also has an 'is' property,
+ * indicating a conditional validation config pattern (e.g., {is: ..., then: ...}).
+ * This pattern is used by validation libraries like Yup and Joi in their
+ * .when() and .conditional() methods.
+ */
+function isConditionalValidationConfig(node: Node): boolean {
+  const ancestors = getAncestorsWithParent(node);
+  const objectExpr = ancestors.find(a => a.type === 'ObjectExpression');
+  if (objectExpr?.type !== 'ObjectExpression') {
+    return false;
+  }
+  const propertyNames = collectPropertyNames(objectExpr);
+  return propertyNames.has('then') && propertyNames.has('is');
+}
+
 /**
  * Checks if the reported node represents an intentional thenable implementation
  * that should not be flagged.
diff --git a/packages/jsts/src/rules/S7739/yup-project/unit.test.ts b/packages/jsts/src/rules/S7739/yup-project/unit.test.ts
@@ -33,6 +33,63 @@ describe('S7739', () => {
         `,
         filename: join(dirname, 'filename.ts'),
       },
+      {
+        // Chained yup calls - string().when() with {is, then} config
+        code: `
+          import * as yup from 'yup';
+          const schema = yup.string().when('hasName', {
+            is: true,
+            then: (schema) => schema.required(),
+          });
+        `,
+        filename: join(dirname, 'filename.ts'),
+      },
+      {
+        // Chained yup calls inside object shape definition
+        // This is the most common real-world pattern from the Jira ticket
+        code: `
+          import * as yup from 'yup';
+          const formSchema = yup.object().shape({
+            age: yup.number().required(),
+            parentalConsent: yup.bool().when('age', {
+              is: (age) => age < 18,
+              then: (schema) => schema.required(),
+              otherwise: (schema) => schema.optional(),
+            }),
+          });
+        `,
+        filename: join(dirname, 'filename.ts'),
+      },
+      {
+        // Multiple chained .when() calls with {is, then} in same shape
+        code: `
+          import * as yup from 'yup';
+          const schema = yup.object().shape({
+            a1: yup.string().when('a2', {
+              is: undefined,
+              then: (schema) => schema.required(),
+            }),
+            a2: yup.string().when('a1', {
+              is: undefined,
+              then: (schema) => schema.required(),
+            }),
+          });
+        `,
+        filename: join(dirname, 'filename.ts'),
+      },
+      {
+        // Yup .when() with array of dependencies
+        code: `
+          import * as yup from 'yup';
+          const schema = yup.object().shape({
+            value: yup.number().when(['unknownDep', 'knownDep'], {
+              is: true,
+              then: (s) => s.required(),
+            }),
+          });
+        `,
+        filename: join(dirname, 'filename.ts'),
+      },
     ],
     invalid: [
       {
