You can expand the list of untrusted domains in the CodeQL library used by the js/functionality-from-untrusted-source and js/functionality-from-untrusted-domain queries using CodeQL data extensions.
This allows you to add additional domains to warn users about and to require Subresource Integrity (SRI) checks on specific content delivery network (CDN) hostnames.
For example, this YAML model can be used inside a CodeQL model pack to alert on uses of example.com in imported functionality, extending the js/functionality-from-untrusted-domain query:
extensions:
- addsTo:
pack: codeql/javascript-all
extensible: untrustedDomain
data:
- ["example.com"]To add new hostnames that always require SRI checking, this YAML model can be used to require SRI on cdn.example.com, extending the js/functionality-from-untrusted-source query:
extensions:
- addsTo:
pack: codeql/javascript-all
extensible: isCdnDomainWithCheckingRequired
data:
- ["cdn.example.com"]You would create a model pack with this information using metadata similar to that in the example below:
name: my-org/javascript-untrusted-functionality-model-pack
version: 1.0.0
extensionTargets:
codeql/java-all: '*'
dataExtensions:
- models/**/*.yml