fix: handle NOT CompoundStatement in render_capa_doc_statement_node so NOT rules render children in IDA plugin tree view

Previously, the elif for CompoundStatement+NOT was unreachable (the outer if already matched all CompoundStatement), causing NOT statements to return None and their children to be orphaned/dropped from the tree.
2026-06-12 19:11:32 -07:00 · 2026-04-22 20:12:48 +03:00
parent da9ccfaef3
commit a18595bf89
2 changed files with 8 additions and 13 deletions
@@ -48,8 +48,7 @@
 - fix: remove unreachable backports.functools_lru_cache fallback and dead dependency @williballenthin
 - fix: Scopes.from_dict uses cls instead of self so subclasses return the correct type @williballenthin
 - fix: correct wrong dict key in VMRay _compute_monitor_threads assertion (used thread_id instead of process_id) @williballenthin
-fix: replace assert with isinstance guard in get_callee for invalid MethodSpec tokens @williballenthin
- fix: replace assert with isinstance guard in get_callee for invalid MethodSpec tokens @williballenthin
+- fix: fix unreachable elif for NOT CompoundStatement so NOT rules render children in IDA plugin tree view @williballenthin (SURF-60)
 - fix: use next(iter(addrs)) instead of addrs.pop() to avoid mutating the feature cache in parse_features_for_tree @williballenthin (SURF-59)
 - fix: use integer division in get_printable_len for UTF-16 LE operands @williballenthin (SURF-58)
 - fix: break thunk chain loop after resolving import to avoid duplicate API features @williballenthin (SURF-57)
@@ -378,15 +378,10 @@ class CapaExplorerDataModel(QtCore.QAbstractItemModel):
        """

        if isinstance(statement, rd.CompoundStatement):
-            if statement.type != rd.CompoundStatementType.NOT:
-                display = statement.type
-                if statement.description:
-                    display += f" ({statement.description})"
-                return CapaExplorerDefaultItem(parent, display)
-        elif isinstance(statement, rd.CompoundStatement) and statement.type == rd.CompoundStatementType.NOT:
-            # TODO(mike-hunhoff): verify that we can display NOT statements
-            # https://github.com/mandiant/capa/issues/1602
-            pass
+            display = statement.type
+            if statement.description:
+                display += f" ({statement.description})"
+            return CapaExplorerDefaultItem(parent, display)
        elif isinstance(statement, rd.SomeStatement):
            display = f"{statement.count} or more"
            if statement.description:
@@ -462,8 +457,9 @@ class CapaExplorerDataModel(QtCore.QAbstractItemModel):
        else:
            raise RuntimeError("unexpected node type: " + str(match.node.type))

-        for child in match.children:
-            self.render_capa_doc_match(parent2, child, doc)
+        if parent2 is not None:
+            for child in match.children:
+                self.render_capa_doc_match(parent2, child, doc)

    def render_capa_doc_by_function(self, doc: rd.ResultDocument):
        """render rule matches by function meaning each rule match is nested under function where it was found"""