feat: add W014 case-without-else rule

hellozzm · Pawansingh3889 · commit ac8469e9e957 · 2026-05-02T11:59:13.000+01:00
Warn on CASE expressions that lack an ELSE branch.\nUnmatched rows silently return NULL which is often unintended.\n\nCloses #4
diff --git a/sql_guard/rules/__init__.py b/sql_guard/rules/__init__.py
@@ -14,6 +14,7 @@
     UpdateWithoutWhere,
 )
 from sql_guard.rules.warnings import (
+    CaseWithoutElse,
     CommentedOutCode,
     CountDistinctUnbounded,
     FunctionOnIndexedColumn,
@@ -79,6 +80,7 @@
     TruncateTable(),
     CountDistinctUnbounded(),
     ScalarUdfInWhere(),
+    CaseWithoutElse(),
     # Structural (S001-S003)
     ImplicitCrossJoin(),
     DeeplyNestedSubquery(),
diff --git a/sql_guard/rules/warnings.py b/sql_guard/rules/warnings.py
@@ -484,6 +484,38 @@ def check_statement(self, statement: str, start_line: int, file: str) -> Finding
         return None
 
 
+class CaseWithoutElse(Rule):
+    """W014: CASE expression without ELSE returns NULL for unmatched rows.
+
+    ``CASE WHEN ... THEN ... END`` without an ``ELSE`` branch returns
+    ``NULL`` for any row that doesn't match a ``WHEN`` condition.
+    Often the author assumes the conditions are exhaustive when they
+    aren't, or downstream code can't handle NULLs.
+    """
+
+    id = "W014"
+    name = "case-without-else"
+    severity = "warning"
+    description = "CASE without ELSE returns NULL for unmatched rows"
+    multiline = True
+
+    _case = Rule._compile(r"\bCASE\b")
+    _end = Rule._compile(r"\bEND\b")
+    _else = Rule._compile(r"\bELSE\b")
+
+    def check_statement(self, statement: str, start_line: int, file: str) -> Finding | None:
+        if self._case.search(statement) and self._end.search(statement) and not self._else.search(statement):
+            return Finding(
+                rule_id=self.id,
+                severity=self.severity,
+                file=file,
+                line=start_line,
+                message="CASE without ELSE -- unmatched rows return NULL",
+                suggestion="Add an explicit ELSE clause, even if it's ELSE NULL for clarity",
+            )
+        return None
+
+
 class WindowMissingPartition(Rule):
     """W013: OVER() without PARTITION BY can yield unpredictable results."""
 
diff --git a/tests/fixtures/warnings.sql b/tests/fixtures/warnings.sql
@@ -44,3 +44,11 @@ WHERE dbo.fn_IsHighValue(total) = 1;
 SELECT *
 FROM orders o
 JOIN customers c ON UPPER(o.email) = UPPER(c.email);
+
+-- W014: CASE without ELSE
+SELECT
+  CASE
+    WHEN status = 'paid' THEN 1
+    WHEN status = 'pending' THEN 0
+  END AS paid_flag
+FROM orders;
diff --git a/tests/test_rules.py b/tests/test_rules.py
@@ -18,18 +18,18 @@
 
 class TestRuleRegistry:
     def test_all_rules_loaded(self) -> None:
-        assert len(ALL_RULES) == 36
+        assert len(ALL_RULES) == 37
 
     def test_10_errors(self) -> None:
         # 8 E-series + 2 T-series (T002 xp-cmdshell, T004 deprecated-outer-join).
         errors = [r for r in ALL_RULES if r.severity == "error"]
         assert len(errors) == 10
 
-    def test_26_warnings(self) -> None:
-        # 20 W-series + 3 S-series + 3 T-series (T001 with-nolock,
+    def test_27_warnings(self) -> None:
+        # 21 W-series + 3 S-series + 3 T-series (T001 with-nolock,
         # T003 cursor-declaration, T005 create-index-without-online).
         warnings = [r for r in ALL_RULES if r.severity == "warning"]
-        assert len(warnings) == 26
+        assert len(warnings) == 27
 
     def test_unique_ids(self) -> None:
         ids = [r.id for r in ALL_RULES]
@@ -193,6 +193,26 @@ def test_w016_not_in_value_list_ok(self, tmp_path) -> None:
         w016 = [f for f in result.findings if f.rule_id == "W016"]
         assert not w016
 
+    def test_w014_case_without_else(self) -> None:
+        findings = check([str(FIXTURES / "warnings.sql")])
+        w014 = [f for f in findings.findings if f.rule_id == "W014"]
+        assert len(w014) >= 1
+        assert "CASE" in w014[0].message
+
+    def test_w014_case_with_else_ok(self, tmp_path) -> None:
+        sql = tmp_path / "case_with_else.sql"
+        sql.write_text(
+            "SELECT CASE\n"
+            "  WHEN status = 'paid' THEN 1\n"
+            "  WHEN status = 'pending' THEN 0\n"
+            "  ELSE NULL\n"
+            "END AS paid_flag\n"
+            "FROM orders;\n"
+        )
+        result = check([str(sql)])
+        w014 = [f for f in result.findings if f.rule_id == "W014"]
+        assert not w014
+
 
 # ---------------------------------------------------------------------------
 # Clean file
