Implement pinning through a TrustManager

+ Fix that the query was accidentally placed in experimental
2025-12-21 11:16:30 +01:00 · 2022-11-23 10:30:24 +00:00
parent 4afecf575e
commit c8aca06190
2 changed files with 62 additions and 2 deletions
--- a/java/ql/src/Security/CWE/CWE-295/AndroidMissingCertificatePinning.ql
+++ b/java/ql/src/Security/CWE/CWE-295/AndroidMissingCertificatePinning.ql
@@ -0,0 +1,21 @@
+/**
+ * @name Android Missing Certificate Pinning
+ * @description Network communication should use certificate pinning.
+ * @kind problem
+ * @problem.severity warning
+ * @precision medium
+ * @id java/android/missing-certificate-pinning
+ * @tags security
+ *       external/cwe/cwe-295
+ */
+
+import java
+import semmle.code.java.security.AndroidCertificatePinningQuery
+
+from DataFlow::Node node, string msg
+where
+  missingPinning(node) and
+  if exists(string x | trustedDomain(x))
+  then msg = "(untrusted domain)"
+  else msg = "(no trusted domains)"
+select node, "This network call does not implement certificate pinning. " + msg