capa icon indicating copy to clipboard operation
capa copied to clipboard
verified publisher icon mandiant

Display analysis information

Open fariss opened this issue 1 year ago • 4 comments

Closes #857.

This commit introduces two new metadata fields to result_document. Would this be considered a breaking change?

This would require regenrating the rdoc test files. see https://github.com/mandiant/capa-testfiles/pull/239.

Checklist

  • [ ] No CHANGELOG update needed
  • [ ] No new tests needed
  • [ ] No documentation update needed

fariss avatar Jun 10 '24 08:06 fariss

I think this requires regenerating the files in tests/data/rd/

mr-tz avatar Jun 10 '24 14:06 mr-tz

Should be good to go once https://github.com/mandiant/capa-testfiles/pull/239 is merged.

fariss avatar Jun 10 '24 18:06 fariss

Stepping back here for a moment, let's consider if we want to implement this differently:

  • add new characteristics: few imports, few detected library functions
  • add new limitation rules using these features
  • update behavior to handle has_file_limitation or similar

That way we can handle the various limitations/warnings consistently. The core extraction logic still resides in capa but we don't have to extend the meta data.

Related: should we provide functionality to easier leverage this in other tools? Right now other tools need to reimplement the logic we have in capa.main to handle special cases/detections.

mr-tz avatar Jun 11 '24 09:06 mr-tz

@mr-tz this would require many fewer breaking changes, which i like

williballenthin avatar Jun 11 '24 13:06 williballenthin