From b34079208cc610474d7e3c26af0d27136ae43bad Mon Sep 17 00:00:00 2001
From: Willi Ballenthin <wballenthin@hex-rays.com>
Date: Wed, 22 Apr 2026 16:57:55 +0300
Subject: [PATCH] fix: address reportPossiblyUnbound diagnostics (chunk 3)

- elf.py: fix bug where vdso_guess except handler set symtab_guess=None
- result_document.py: add assert_never after StaticAnalysis/DynamicAnalysis
- binexport2/helpers.py: guard empty operand_expressions with early return
- tests/fixtures.py: restructure kernel32-64.dll_ workaround to single if/else
---
 capa/features/extractors/binexport2/helpers.py | 5 ++++-
 capa/features/extractors/elf.py                | 2 +-
 capa/render/result_document.py                 | 2 ++
 tests/fixtures.py                              | 5 +++--
 4 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/capa/features/extractors/binexport2/helpers.py b/capa/features/extractors/binexport2/helpers.py
index 9eab3972..ec80d76e 100644
--- a/capa/features/extractors/binexport2/helpers.py
+++ b/capa/features/extractors/binexport2/helpers.py
@@ -575,6 +575,9 @@ class BinExport2InstructionPattern:
         if len(self.operands) != len(operand_expressions):
             return None
 
+        if not operand_expressions:
+            return None
+
         captured = None
 
         for operand_index, found_expressions in enumerate(operand_expressions):
@@ -645,7 +648,7 @@ class BinExport2InstructionPattern:
         else:
             # There were no captures, so
             # return arbitrary non-None expression
-            return BinExport2InstructionPattern.MatchResult(operand_index, expression_index, found_expression)
+            return BinExport2InstructionPattern.MatchResult(operand_index, expression_index, found_expression)  # type: ignore  # loops always run: operand_expressions non-empty (guarded) and expressions are validated non-empty
 
 
 class BinExport2InstructionPatternMatcher:
diff --git a/capa/features/extractors/elf.py b/capa/features/extractors/elf.py
index d5780a62..9121a57e 100644
--- a/capa/features/extractors/elf.py
+++ b/capa/features/extractors/elf.py
@@ -1557,7 +1557,7 @@ def detect_elf_os(f) -> str:
         logger.debug("guess: vdso strings: %s", vdso_guess)
     except Exception as e:
         logger.warning("Error guessing OS from vdso strings: %s", e)
-        symtab_guess = None
+        vdso_guess = None
 
     ret = None
 
diff --git a/capa/render/result_document.py b/capa/render/result_document.py
index c8d194d2..0093624a 100644
--- a/capa/render/result_document.py
+++ b/capa/render/result_document.py
@@ -749,6 +749,8 @@ class ResultDocument(FrozenModel):
             )
         elif isinstance(self.meta.analysis, DynamicAnalysis):
             capabilities = Capabilities(matches, self.meta.analysis.feature_counts)
+        else:
+            assert_never(self.meta.analysis)
 
         return self.meta, capabilities
 
diff --git a/tests/fixtures.py b/tests/fixtures.py
index 2b8c2918..ad06f4a7 100644
--- a/tests/fixtures.py
+++ b/tests/fixtures.py
@@ -183,9 +183,10 @@ def get_binja_extractor(path: Path):
     if path.name.endswith("kernel32-64.dll_"):
         old_pdb = settings.get_bool("pdb.loadGlobalSymbols")
         settings.set_bool("pdb.loadGlobalSymbols", False)
-    bv = binaryninja.load(str(path))
-    if path.name.endswith("kernel32-64.dll_"):
+        bv = binaryninja.load(str(path))
         settings.set_bool("pdb.loadGlobalSymbols", old_pdb)
+    else:
+        bv = binaryninja.load(str(path))
 
     # TODO(xusheng6): Temporary fix for https://github.com/mandiant/capa/issues/2507. Remove this once it is fixed in
     # binja