Cover CAP's Fluent API to construct cds.ql queries

[jeongsoolee09]

Model CAP's Fluent API that constructs CQL query objects. This PR aims to cover all API combinations of the following:

• SELECT
  • .one
  • .distinct
  • .columns() (including SELECT itself behaving as a shortcut for it)
  • .from()
  • .alias()
  • .where()
  • .having()
  • .groupBy()
  • .orderBy()
  • .limit()
  • .forUpdate()
  • .forShareLock()
• INSERT
  • .into()
  • .entries() (including INSERT itself behaving as a shortcut for it)
  • .values()
  • .rows()
  • .as()
• DELETE
  • .from()
  • .where()
• UPDATE
  • .entity() (including UPDATE itself behaving as a shortcut for it)
  • .set()
  • .with()
  • .where()
• UPSERT
  • .into()
  • .entries()(including UPSERT itslef behaving as a shortcut for it)

What this PR does not cover:

• Full CQL language: e.g. CQL `SELECT col1, col2, col3 from Table`;
• CQN objects which are canonical forms of the CQL language: e.g.

var select = {
  SELECT: {
    distinct: true,
    columns: [{ ref: ["Foo"] }, { ref: ["Boo"] }, { ref: ["Moo"] }],
    from: { ref: ["Bar"] },
    limit: {
      rows: { val: 7 },
    },
    where: [{ ref: ["col1"] }, ">", { val: 2 }],
    groupBy: [{ ref: ["col1"] }, { ref: ["col2", "prop2"] }],
  },
};

This PR also adds some modelling for the CDS custom in source Service modelling

It covers:

• ApplicationService

and request handlers registered in user definitions of services, but remains to be tested on if it will miss ones that are added later, for example
one consideration for this is , for RequestSource implementation, do we need to actually ever know which service the handler is associated to?

It does not cover:

• RemoteService
• MessagingService
• DatabaseService
• SqlService

Lastly this PR adds a basic SQL injection query that uses the above models (ie request objects received in event handlers that end up in CQL SQL statements and are run)

[github-advanced-security]

CodeQL found more than 10 potential problems in the proposed changes. Check the Files changed tab for more details.

[rvermeulen]

First iteration. Most important part is that we need to properly represent CQL expression clauses as we are now mixing those with expressions themselves.

The parent relationship between CQL expression clauses is not correct and that needs to be addressed. The predicate getAnAncestorCqlExpr is not equal to the transitive closure of getCqlParentExpr.

[github-advanced-security]

CodeQL found more than 20 potential problems in the proposed changes. Check the Files changed tab for more details.

[mbaluda]

The modelling of CQL and CDS looks good to me as well as the tests.
The sqlinjection query can be improved in future PRs
Maybe you could add QLDoc to CQL.qll entities?

Deferred review to @mbaluda