Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

use "span of calls" scope #973

Merged
merged 11 commits into from
Jan 29, 2025
Merged

use "span of calls" scope #973

merged 11 commits into from
Jan 29, 2025

Conversation

williballenthin
Copy link
Collaborator

@williballenthin williballenthin commented Dec 17, 2024
edited
Loading

like #972
supporting mandiant/capa#2532

sed -i 's/dynamic: thread/dynamic: sequence/g' (rg -l 'static: function' (rg -l 'dynamic: thread'))
sed -i 's/dynamic: thread/dynamic: sequence/g' (rg -l 'static: basic block' (rg -l 'dynamic: thread'))

@mr-tz mr-tz closed this Dec 18, 2024
@mr-tz mr-tz reopened this Dec 18, 2024
This was referenced Dec 18, 2024
Closed
Open
@williballenthin williballenthin changed the title use sequence scope use "span of calls" scope Jan 17, 2025
@williballenthin williballenthin marked this pull request as ready for review January 17, 2025 12:56
@williballenthin williballenthin requested a review from a team January 17, 2025 12:56
mike-hunhoff
mike-hunhoff approved these changes Jan 18, 2025
View reviewed changes
Copy link
Collaborator

@mike-hunhoff mike-hunhoff left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I spot checked ~30 of these rules and the changes look reasonable to me.

Generally, we need to asses the existing capa rules (I don't recommend doing it in this PR) for opportunities to tighten up the scopes (I've left comments on a few of these that I noticed here) to reduce FP (and improve performance??). I imagine this would be implemented as a lint that verifies the scopes specified for a new rule are the smallest possible, accounting for match features and whatnot. We should also add a lint that verifies scopes align correctly for match features, iirc we've encountered this in the past, and I'm sure it'll only be more of an issue as we've added new scopes.

williballenthin and others added 6 commits January 29, 2025 10:25
@williballenthin williballenthin merged commit c1d2076 into master Jan 29, 2025
3 checks passed
@williballenthin williballenthin deleted the feat/sequence-scope branch January 29, 2025 09:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mike-hunhoff mike-hunhoff mike-hunhoff approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@williballenthin @mike-hunhoff @mr-tz