From c3da3a9aeff4af06b61287d1d501dbb1cabfc059 Mon Sep 17 00:00:00 2001
From: Joe Farebrother <joefarebrother@github.com>
Date: Mon, 7 Nov 2022 13:21:45 +0000
Subject: [PATCH] Add a bit of additional context to the alert message; fix
 issue with finding the config file

---
 .../java/security/AndroidCertificatePinningQuery.qll |  4 +++-
 .../CWE/CWE-295/AndroidMissingCertificatePinning.ql  | 12 ++++++++----
 2 files changed, 11 insertions(+), 5 deletions(-)

diff --git a/java/ql/lib/semmle/code/java/security/AndroidCertificatePinningQuery.qll b/java/ql/lib/semmle/code/java/security/AndroidCertificatePinningQuery.qll
index e99bb8d9930..645aa1169c4 100644
--- a/java/ql/lib/semmle/code/java/security/AndroidCertificatePinningQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/AndroidCertificatePinningQuery.qll
@@ -1,3 +1,5 @@
+/** Definitiona for the Android Missing Certificate Pinning query. */
+
 import java
 import semmle.code.xml.AndroidManifest
 import semmle.code.java.dataflow.TaintTracking
@@ -8,7 +10,7 @@ class AndroidNetworkSecurityConfigFile extends XmlFile {
     exists(AndroidApplicationXmlElement app, AndroidXmlAttribute confAttr, string confName |
       confAttr.getElement() = app and
       confAttr.getValue() = "@xml/" + confName and
-      this.getRelativePath() = "res/xml/" + confName + ".xml" and
+      this.getRelativePath().matches("%res/xml/" + confName + ".xml") and
       this.getARootElement().getName() = "network-security-config"
     )
   }
diff --git a/java/ql/src/experimental/Security/CWE/CWE-295/AndroidMissingCertificatePinning.ql b/java/ql/src/experimental/Security/CWE/CWE-295/AndroidMissingCertificatePinning.ql
index c94bd08fd87..60328fac38e 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-295/AndroidMissingCertificatePinning.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-295/AndroidMissingCertificatePinning.ql
@@ -4,7 +4,7 @@
  * @kind problem
  * @problem.severity warning
  * @precision medium
- * @id java/android/missingcertificate-pinning
+ * @id java/android/missing-certificate-pinning
  * @tags security
  *       external/cwe/cwe-295
  */
@@ -12,6 +12,10 @@
 import java
 import semmle.code.java.security.AndroidCertificatePinningQuery
 
-from DataFlow::Node node
-where missingPinning(node)
-select node, "This network call does not implement certificate pinning."
+from DataFlow::Node node, string msg
+where
+  missingPinning(node) and
+  if exists(string x | trustedDomain(x))
+  then msg = "(untrusted domain)"
+  else msg = "(no trusted domains)"
+select node, "This network call does not implement certificate pinning. " + msg