tests: idalib: xfail resource test on 9.0

tests/test_idalib_features.py

@@ -11,7 +11,6 @@
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
-
 import logging
 from pathlib import Path
 
@@ -21,6 +20,7 @@ import fixtures
 import capa.features.extractors.ida.idalib
 from capa.features.file import FunctionName
 from capa.features.insn import API
+from capa.features.common import Characteristic
 
 logger = logging.getLogger(__name__)
 
@@ -52,6 +52,13 @@ def test_idalib_features(sample: Path, scope, feature, expected):
             # > prevented this name from surfacing.
             pytest.xfail(f"IDA {kernel_version} does not extract all ELF symbols")
 
+    if kernel_version in {"9.0"} and sample.name.startswith("Practical Malware Analysis Lab 12-04.exe_"):
+        if isinstance(feature, Characteristic) and feature.value == "embedded pe":
+            # see discussion here: https://github.com/mandiant/capa/pull/2742#issuecomment-3667086165
+            #
+            # idalib for IDA 9.0 doesn't support argv arguments, so we can't ask that resources are loaded
+            pytest.xfail("idalib 9.0 does not support loading resource segments")
+
     try:
         fixtures.do_test_feature_presence(fixtures.get_idalib_extractor, sample, scope, feature, expected)
     finally: