Add the domain used to the alert message

Author: joefarebrother

java/ql/lib/semmle/code/java/security/AndroidCertificatePinningQuery.qll

@@ -128,12 +128,21 @@ private class UntrustedUrlConfig extends TaintTracking::Configuration {
 }
 
 /** Holds if `node` is a network communication call for which certificate pinning is not implemented. */
-predicate missingPinning(DataFlow::Node node) {
+predicate missingPinning(DataFlow::Node node, string domain) {
   isAndroid() and
   node instanceof MissingPinningSink and
   (
-    not exists(string s | trustedDomain(s))
+    not exists(string s | trustedDomain(s)) and
+    domain = ""
     or
-    exists(UntrustedUrlConfig conf | conf.hasFlow(_, node))
+    exists(UntrustedUrlConfig conf, DataFlow::Node src |
+      conf.hasFlow(src, node) and
+      domain = getDomain(src.asExpr())
+    )
   )
 }
+
+/** Gets the domain name from the given string literal */
+private string getDomain(CompileTimeConstantExpr expr) {
+  result = expr.getStringValue().regexpCapture("(https?://)?([^/]*)/?", 2)
+}

java/ql/src/Security/CWE/CWE-295/AndroidMissingCertificatePinning.ql

@@ -13,10 +13,10 @@
 import java
 import semmle.code.java.security.AndroidCertificatePinningQuery
 
-from DataFlow::Node node, string msg
+from DataFlow::Node node, string domain, string msg
 where
-  missingPinning(node) and
-  if exists(string x | trustedDomain(x))
-  then msg = "(untrusted domain)"
-  else msg = "(no trusted domains)"
+  missingPinning(node, domain) and
+  if domain = ""
+  then msg = "(no explicitly trusted domains)"
+  else msg = "(" + domain + " is not trusted by a pin)"
 select node, "This network call does not implement certificate pinning. " + msg