[JavaScript] Find Invocation Nodes without resolved callees that belong to external libraries

[jghebre]

Hi 👋,

I'm working on a project and I need a way to determine if Invocations nodes, without any found callees, originate from an external library. I'm not sure if there exists a mechanism to determine this information due to the callee not being found.

To my knowledge, for JavaScript, CodeQL does not analyze the node_modules by default and contains modeling of certain popular external libraries like express.

For example in this code:

var url = require('fast-url-parser');
.
.
.
var path = url.parse(request.url).pathname

Running this query:

from DataFlow::InvokeNode node
 where not exists(node.getACallee(0)) 
 select node, ...

Correctly finds the callee parse as not being found. However there are many invocation nodes without found callees throughout most packages and I just want to focus on the nodes that relate to external libraries.

I've looked into libraries like import semmle.javascript.dependencies.Dependencies to implement this but haven't found anything that worked yet.

Thanks!