lib rules not included in scoped rules #398

mr-tz · 2021-01-20T09:56:24Z

This was observed in mandiant/capa-rules#225.

Thorough lints fail to validate lib rules, because we ignore "lib" rules here:
https://github.com/fireeye/capa/blob/20ce29b0333741c3f677fc501e3c7e34dc062077/capa/rules.py#L864-L879

Possible solutions:

remove "lib" exclusion (easy, however, there may be undesired side-effects @williballenthin?)
add RuleSet.lib_rules (not as easy)
to only change the linter, set all rules' lib meta to False (hacky)

The text was updated successfully, but these errors were encountered:

mike-hunhoff · 2021-01-21T21:12:33Z

This appears to be causing issues in the rule generator plugin as well e.g. when a user attempts to create a new lib rule the plugin cannot make a match because the rule isn't included in the final ruleset (as no dependencies yet exist):

With lib: true:

Without lib: true:

This also prevents existing lib rules with no dependencies from showing up in the rule generator under matched rules, even though these rules may match the current function.

potential fix for #398

mr-tz added this to the v1.5.0 milestone Jan 22, 2021

mr-tz added a commit that referenced this issue Jan 27, 2021

potential fix for #398

c750447

mr-tz added a commit that referenced this issue Jan 28, 2021

Merge pull request #402 from fireeye/lib-rules-subscoped

819b6f6

potential fix for #398

mr-tz closed this as completed Jan 28, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

lib rules not included in scoped rules #398

lib rules not included in scoped rules #398

mr-tz commented Jan 20, 2021 •

edited

mike-hunhoff commented Jan 21, 2021

lib rules not included in scoped rules #398

lib rules not included in scoped rules #398

Comments

mr-tz commented Jan 20, 2021 • edited

mike-hunhoff commented Jan 21, 2021

mr-tz commented Jan 20, 2021 •

edited