Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Develop script to highlight features unused during matching #1683

Merged

Conversation

Aayush-Goel-04
Copy link
Contributor

@Aayush-Goel-04 Aayush-Goel-04 commented Aug 6, 2023

closes #331

Logic Used

  1. Get all features from sample file using scripts/show_features.py.
  2. Create a set of all features present in rules in rules directory.
  3. Print all file features not present in rules feature set.

Checklist

  • No CHANGELOG update needed
  • No new tests needed
  • No documentation update needed

@Aayush-Goel-04
Copy link
Contributor Author

Aayush-Goel-04 commented Aug 6, 2023

add color to count and feature class.

image

Copy link
Collaborator

@williballenthin williballenthin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

see recommendations inline. most are type hint updates. moving the get_all_features routine to Rule will help cut down on the logic duplicated across a few scripts, which is nice.

as for the output, would you:

  • highlight/color only the content between the parentheses, and
  • order the output from least to most common

all in all, this is neat, thank you @Aayush-Goel-04!

capa/engine.py Outdated Show resolved Hide resolved
scripts/detect_duplicate_features.py Outdated Show resolved Hide resolved
scripts/detect_duplicate_features.py Outdated Show resolved Hide resolved
scripts/show-unused-features.py Outdated Show resolved Hide resolved
scripts/show-unused-features.py Outdated Show resolved Hide resolved
scripts/show-unused-features.py Outdated Show resolved Hide resolved
scripts/show-unused-features.py Outdated Show resolved Hide resolved
scripts/show-unused-features.py Show resolved Hide resolved
@williballenthin
Copy link
Collaborator

would you please also add a test showing the invocation of the script, like we do here: https://github.com/mandiant/capa/blob/master/tests/test_scripts.py#L45

Copy link
Collaborator

@mr-tz mr-tz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

only noting small things I've noticed, overall this is great

scripts/show-unused-features.py Outdated Show resolved Hide resolved
scripts/show-unused-features.py Outdated Show resolved Hide resolved
scripts/show-unused-features.py Outdated Show resolved Hide resolved
scripts/show-unused-features.py Outdated Show resolved Hide resolved
@Aayush-Goel-04 Aayush-Goel-04 requested a review from mr-tz August 8, 2023 13:05
@williballenthin
Copy link
Collaborator

please address test failures on python 3.8 (maybe syntax/typing related?).

@mr-tz
Copy link
Collaborator

mr-tz commented Aug 9, 2023

=================================== FAILURES ===================================
_________________ test_scripts[show-unused-features.py-args6] __________________

script = 'show-unused-features.py'
args = ['/home/runner/work/capa/capa/tests/data/9324d1a8ae37a36ae560c37448c9705a.exe_']

    @pytest.mark.parametrize(
        "script,args",
        [
            pytest.param("capa2yara.py", [get_rules_path()]),
            pytest.param("capafmt.py", [get_rule_path()]),
            # not testing lint.py as it runs regularly anyway
            pytest.param("match-function-id.py", [get_file_path()]),
            pytest.param("show-capabilities-by-function.py", [get_file_path()]),
            pytest.param("show-features.py", [get_file_path()]),
            pytest.param("show-features.py", ["-F", "0x407970", get_file_path()]),
            pytest.param("show-unused-features.py", [get_file_path()]),
            pytest.param("capa_as_library.py", [get_file_path()]),
        ],
    )
    def test_scripts(script, args):
        script_path = get_script_path(script)
        p = run_program(script_path, args)
>       assert p.returncode == 0
E       AssertionError: assert 1 == 0
E        +  where 1 = CompletedProcess(args=['/opt/hostedtoolcache/Python/3.8.17/x64/bin/python', '/home/runner/work/capa/capa/tests/../scripts/show-unused-features.py', '/home/runner/work/capa/capa/tests/data/9324d1a8ae37a36ae560c37448c9705a.exe_'], returncode=1, stdout=b'').returncode

tests/test_scripts.py:55: AssertionError
----------------------------- Captured stderr call -----------------------------
Traceback (most recent call last):
  File "/home/runner/work/capa/capa/tests/../scripts/show-unused-features.py", line 55, in <module>
    ) -> Counter[Feature]:
TypeError: 'type' object is not subscriptable

@Aayush-Goel-04
Copy link
Contributor Author

@williballenthin @mr-tz all tests are passing now.

Copy link
Collaborator

@williballenthin williballenthin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

see inline tweaks, then we'll be ready to merge.

Aayush-Goel-04 and others added 3 commits August 9, 2023 15:32
Co-authored-by: Willi Ballenthin <wballenthin@google.com>
Co-authored-by: Willi Ballenthin <wballenthin@google.com>
@Aayush-Goel-04
Copy link
Contributor Author

see inline tweaks, then we'll be ready to merge.

Done,

Copy link
Collaborator

@williballenthin williballenthin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thank you @Aayush-Goel-04 !

@williballenthin williballenthin merged commit 9f43676 into mandiant:master Aug 9, 2023
@Aayush-Goel-04 Aayush-Goel-04 deleted the Aayush-Goel-04/Issue#331 branch August 13, 2023 17:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

develop script to highlight the features that are not used during matching
3 participants