From 03cc901f7ba82d1e7b5f22801c6dcbf34f783469 Mon Sep 17 00:00:00 2001 From: Willi Ballenthin Date: Tue, 6 Jan 2026 14:42:16 +0100 Subject: [PATCH] tests: idalib: xfail resource test on 9.0 --- tests/test_idalib_features.py | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/tests/test_idalib_features.py b/tests/test_idalib_features.py index a16b7eca..8604b94e 100644 --- a/tests/test_idalib_features.py +++ b/tests/test_idalib_features.py @@ -11,7 +11,6 @@ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. - import logging from pathlib import Path @@ -21,6 +20,7 @@ import fixtures import capa.features.extractors.ida.idalib from capa.features.file import FunctionName from capa.features.insn import API +from capa.features.common import Characteristic logger = logging.getLogger(__name__) @@ -52,6 +52,13 @@ def test_idalib_features(sample: Path, scope, feature, expected): # > prevented this name from surfacing. pytest.xfail(f"IDA {kernel_version} does not extract all ELF symbols") + if kernel_version in {"9.0"} and sample.name.startswith("Practical Malware Analysis Lab 12-04.exe_"): + if isinstance(feature, Characteristic) and feature.value == "embedded pe": + # see discussion here: https://github.com/mandiant/capa/pull/2742#issuecomment-3667086165 + # + # idalib for IDA 9.0 doesn't support argv arguments, so we can't ask that resources are loaded + pytest.xfail("idalib 9.0 does not support loading resource segments") + try: fixtures.do_test_feature_presence(fixtures.get_idalib_extractor, sample, scope, feature, expected) finally: