Add a bit of additional context to the alert message; fix issue with finding the config file

java/ql/lib/semmle/code/java/security/AndroidCertificatePinningQuery.qll

@@ -1,3 +1,5 @@
+/** Definitiona for the Android Missing Certificate Pinning query. */
+
 import java
 import semmle.code.xml.AndroidManifest
 import semmle.code.java.dataflow.TaintTracking
@@ -8,7 +10,7 @@ class AndroidNetworkSecurityConfigFile extends XmlFile {
     exists(AndroidApplicationXmlElement app, AndroidXmlAttribute confAttr, string confName |
       confAttr.getElement() = app and
       confAttr.getValue() = "@xml/" + confName and
-      this.getRelativePath() = "res/xml/" + confName + ".xml" and
+      this.getRelativePath().matches("%res/xml/" + confName + ".xml") and
       this.getARootElement().getName() = "network-security-config"
     )
   }

java/ql/src/experimental/Security/CWE/CWE-295/AndroidMissingCertificatePinning.ql

@@ -4,7 +4,7 @@
  * @kind problem
  * @problem.severity warning
  * @precision medium
- * @id java/android/missingcertificate-pinning
+ * @id java/android/missing-certificate-pinning
  * @tags security
  *       external/cwe/cwe-295
  */
@@ -12,6 +12,10 @@
 import java
 import semmle.code.java.security.AndroidCertificatePinningQuery
 
-from DataFlow::Node node
-where missingPinning(node)
-select node, "This network call does not implement certificate pinning."
+from DataFlow::Node node, string msg
+where
+  missingPinning(node) and
+  if exists(string x | trustedDomain(x))
+  then msg = "(untrusted domain)"
+  else msg = "(no trusted domains)"
+select node, "This network call does not implement certificate pinning. " + msg