cape2yara.py: update for use of scopes, and fix bug

2025-12-10 23:00:37 -08:00 · 2023-08-24 14:32:49 +02:00
parent 7c101f01e5
commit 9eb1255b29
2 changed files with 13 additions and 19 deletions
--- a/scripts/capa2yara.py
+++ b/scripts/capa2yara.py
@@ -566,7 +566,7 @@ def convert_rules(rules, namespaces, cround, make_priv):
            logger.info("skipping already converted rule capa: %s - yara rule: %s", rule.name, rule_name)
            continue

-        logger.info("-------------------------- DOING RULE CAPA: %s - yara rule: ", rule.name, rule_name)
+        logger.info("-------------------------- DOING RULE CAPA: %s - yara rule: %s", rule.name, rule_name)
        if "capa/path" in rule.meta:
            url = get_rule_url(rule.meta["capa/path"])
        else:
@@ -603,7 +603,12 @@ def convert_rules(rules, namespaces, cround, make_priv):
                meta_name = meta
                # e.g. 'examples:' can be a list
                seen_hashes = []
-                if isinstance(metas[meta], list):
+                if isinstance(metas[meta], dict):
+                    if meta_name == "scopes":
+                        yara_meta += "\t" + "static scope" + ' = "' + metas[meta]["static"] + '"\n'
+                        yara_meta += "\t" + "dynamic scope" + ' = "' + metas[meta]["dynamic"] + '"\n'
+
+                elif isinstance(metas[meta], list):
                    if meta_name == "examples":
                        meta_name = "hash"
                    if meta_name == "att&ck":
--- a/tests/test_scripts.py
+++ b/tests/test_scripts.py
@@ -38,25 +38,15 @@ def get_rule_path():
@pytest.mark.parametrize(
    "script,args",
    [
-        pytest.param("capa2yara.py", [get_rules_path()], marks=pytest.mark.xfail(reason="relies on legacy ruleset")),
-        pytest.param(
-            "capafmt.py", [get_rule_path()], marks=pytest.mark.xfail(reason="rendering hasn't been added yet")
-        ),
+        pytest.param("capa2yara.py", [get_rules_path()]),
+        pytest.param("capafmt.py", [get_rule_path()]),
        # not testing lint.py as it runs regularly anyway
        pytest.param("match-function-id.py", [get_file_path()]),
-        pytest.param(
-            "show-capabilities-by-function.py",
-            [get_file_path()],
-            marks=pytest.mark.xfail(reason="rendering hasn't been added yet"),
-        ),
+        pytest.param("show-capabilities-by-function.py", [get_file_path()]),
        pytest.param("show-features.py", [get_file_path()]),
        pytest.param("show-features.py", ["-F", "0x407970", get_file_path()]),
-        pytest.param(
-            "show-unused-features.py", [get_file_path()], marks=pytest.mark.xfail(reason="relies on legacy ruleset")
-        ),
-        pytest.param(
-            "capa_as_library.py", [get_file_path()], marks=pytest.mark.xfail(reason="relies on legacy ruleset")
-        ),
+        pytest.param("show-unused-features.py", [get_file_path()]),
+        pytest.param("capa_as_library.py", [get_file_path()]),
    ],
 )
 def test_scripts(script, args):
@@ -65,7 +55,6 @@ def test_scripts(script, args):
    assert p.returncode == 0


-@pytest.mark.xfail(reason="relies on legacy ruleset")
 def test_bulk_process(tmp_path):
    # create test directory to recursively analyze
    t = tmp_path / "test"
@@ -86,7 +75,7 @@ def run_program(script_path, args):
    return subprocess.run(args, stdout=subprocess.PIPE)


-@pytest.mark.xfail(reason="rendering hasn't been added yet")
+@pytest.mark.xfail(reason="RD test files haven't been updated yet")
 def test_proto_conversion(tmp_path):
    t = tmp_path / "proto-test"
    t.mkdir()