capabilities: only log "real" matched rules, not derived count

2026-02-04 11:07:53 -08:00 · 2024-05-06 11:27:55 +02:00
parent 4b1a5003df
commit 283ce41a5e
1 changed files with 10 additions and 3 deletions
--- a/capa/capabilities/static.py
+++ b/capa/capabilities/static.py
@@ -182,9 +182,16 @@ def find_static_capabilities(
                )
                t1 = time.time()

-                match_count = sum(len(res) for res in function_matches.values())
-                match_count += sum(len(res) for res in bb_matches.values())
-                match_count += sum(len(res) for res in insn_matches.values())
+                match_count = 0
+                for name, matches in itertools.chain(
+                    function_matches.items(), bb_matches.items(), insn_matches.items()
+                ):
+                    # in practice, most matches are derived rules,
+                    # like "check OS version/5bf4c7f39fd4492cbed0f6dc7d596d49"
+                    # but when we log to the human, they really care about "real" rules.
+                    if not ruleset.rules[name].is_subscope_rule():
+                        match_count += len(matches)
+
                logger.debug(
                    "analyzed function 0x%x and extracted %d features, %d matches in %0.02fs",
                    f.address,