Skip to content

feat: add lint to validate rule dependency scope compatibility #2579

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jan 29, 2025
Merged

feat: add lint to validate rule dependency scope compatibility #2579

merged 1 commit into from
Jan 29, 2025

Conversation

williballenthin
Copy link
Collaborator

@williballenthin williballenthin commented Jan 29, 2025
edited
Loading

closes #2124

Checklist

  • No CHANGELOG update needed
  • No new tests needed
  • No documentation update needed

output

❯ python scripts/lint.py rules/
INFO     lint: collecting potentially referenced samples                                                                                                           lint.py:1090

 acquire debug privileges
  FAIL: rule dependency scope mismatch: rule 'acquire debug privileges' (Scope.BASIC_BLOCK) depends on rule 'modify access privileges' (Scope.FUNCTION).


 check mutex
  FAIL: rule dependency scope mismatch: rule 'check mutex' (Scope.BASIC_BLOCK) depends on rule 'create mutex' (Scope.FUNCTION).


 delete drive layout via IOCTL
  FAIL: rule dependency scope mismatch: rule 'delete drive layout via IOCTL' (Scope.CALL) depends on rule 'interact with driver via IOCTL' (Scope.THREAD).


    (nursery)  persist via application shimming
      WARN: missing examples: Add meta.examples so that the rule can be tested and verified
      WARN: rule dependency scope mismatch: rule 'persist via application shimming' (Scope.CALL) depends on rule 'write file on Linux' (Scope.THREAD).


    (nursery)  upload file to OneDrive
      WARN: 'no lint failures': Graduate the rule


    (nursery)  get volume information via IOCTL
      WARN: missing examples: Add meta.examples so that the rule can be tested and verified
      WARN: rule dependency scope mismatch: rule 'get volume information via IOCTL' (Scope.CALL) depends on rule 'interact with driver via IOCTL' (Scope.THREAD).


    (nursery)  unmount volume via IOCTL
      WARN: missing examples: Add meta.examples so that the rule can be tested and verified
      WARN: rule dependency scope mismatch: rule 'unmount volume via IOCTL' (Scope.CALL) depends on rule 'interact with driver via IOCTL' (Scope.THREAD).


    (nursery)  linked against hp-socket
      WARN: referenced example doesn't exist: Add the referenced example to samples directory ($capa-root/tests/data or supplied via --samples)


    (nursery)  resize volume shadow copy storage
      WARN: missing examples: Add meta.examples so that the rule can be tested and verified
      WARN: rule dependency scope mismatch: rule 'resize volume shadow copy storage' (Scope.CALL) depends on rule 'interact with driver via IOCTL' (Scope.THREAD).


    (nursery)  persist via Print Processors registry key
      WARN: missing examples: Add meta.examples so that the rule can be tested and verified
      WARN: rule dependency scope mismatch: rule 'persist via Print Processors registry key' (Scope.CALL) depends on rule 'write file on Linux' (Scope.THREAD).


    (nursery)  get disk information via IOCTL
      WARN: missing examples: Add meta.examples so that the rule can be tested and verified
      WARN: rule dependency scope mismatch: rule 'get disk information via IOCTL' (Scope.CALL) depends on rule 'interact with driver via IOCTL' (Scope.THREAD).


 send file via HTTP
  FAIL: rule dependency scope mismatch: rule 'send file via HTTP' (Scope.BASIC_BLOCK) depends on rule 'connect to URL' (Scope.FUNCTION).

rules with WARN:
  - linked against hp-socket

rules with FAIL:
  - acquire debug privileges
  - check mutex
  - delete drive layout via IOCTL
  - get disk information via IOCTL
  - get volume information via IOCTL
  - persist via Print Processors registry key
  - persist via application shimming
  - resize volume shadow copy storage
  - send file via HTTP
  - unmount volume via IOCTL

@williballenthin williballenthin requested a review from a team January 29, 2025 11:20
@williballenthin williballenthin force-pushed the feat/lint-match-rule-scopes branch from 846a719 to 9e08e2f Compare January 29, 2025 11:24
williballenthin added a commit to mandiant/capa-rules that referenced this pull request Jan 29, 2025
@williballenthin
fix scopes from lint errors
262242b 
ref mandiant/capa#2579
@williballenthin williballenthin mentioned this pull request Jan 29, 2025
Merged
@williballenthin
Copy link
Collaborator Author

mandiant/capa-rules#986

mike-hunhoff
mike-hunhoff approved these changes Jan 29, 2025
View reviewed changes
Copy link
Collaborator

@mike-hunhoff mike-hunhoff left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great, thank you! LGTM 🚀

scripts/lint.py
Scope.INSTRUCTION,
]

return static_scope_order.index(child.scopes.static) >= static_scope_order.index(parent.scopes.static)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice

@williballenthin williballenthin merged commit 712e35c into master Jan 29, 2025
18 of 19 checks passed
@williballenthin williballenthin deleted the feat/lint-match-rule-scopes branch January 29, 2025 17:53
williballenthin added a commit to mandiant/capa-rules that referenced this pull request Jan 29, 2025
@williballenthin
fix scopes from lint errors
36bf945 
ref mandiant/capa#2579
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mike-hunhoff mike-hunhoff mike-hunhoff approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

rule set does not correctly validate dependencies across scopes
2 participants
@williballenthin @mike-hunhoff