capa/tests/fixtures/matcher/static/scopes.yml

- name: function-scope-aggregates-basic-blocks
  description: function scope sees features from all basic blocks in the function
  rules:
    - name: function-cross-basic-block
      description: should match when function scope aggregates features from different basic blocks
      scopes:
        static: function
      features:
        - and:
            - mnemonic: mov
            - mnemonic: add
  features: |
    func: 0x401000
     bb: 0x401000: basic block
      insn: 0x401000: mnemonic(mov)
     bb: 0x401010: basic block
      insn: 0x401010: mnemonic(add)
  expect:
    matches:
      function-cross-basic-block:
        - 0x401000

- name: basic-block-scope-does-not-aggregate
  description: basic block scope only sees features within a single basic block
  rules:
    - name: basic-block-cross-basic-block
      description: should not match because no single basic block contains both mnemonics
      scopes:
        static: basic block
      features:
        - and:
            - mnemonic: mov
            - mnemonic: add
  features: |
    func: 0x401000
     bb: 0x401000: basic block
      insn: 0x401000: mnemonic(mov)
     bb: 0x401010: basic block
      insn: 0x401010: mnemonic(add)
  expect:
    matches: {}

- name: instruction-scope-single-instruction
  description: instruction scope matches at the single instruction containing the feature
  rules:
    - name: instruction-single-mnemonic
      description: should match once at the instruction that contains mov
      scopes:
        static: instruction
      features:
        - mnemonic: mov
  features: |
    func: 0x401000
     bb: 0x401000: basic block
      insn: 0x401000: mnemonic(mov)
     bb: 0x401010: basic block
      insn: 0x401010: mnemonic(add)
  expect:
    matches:
      instruction-single-mnemonic:
        - 0x401000

- name: function-scope-isolation
  description: features from one function do not leak into another function's match
  rules:
    - name: both-features
      scopes:
        static: function
      features:
        - and:
            - mnemonic: mov
            - mnemonic: add
  features: |
    func: 0x401000
     bb: 0x401000: basic block
      insn: 0x401000: mnemonic(mov)
    func: 0x402000
     bb: 0x402000: basic block
      insn: 0x402000: mnemonic(add)
  expect:
    matches: {}

- name: file-scope-basic
  description: file scope matches features extracted at file level
  rules:
    - name: file-import
      scopes:
        static: file
      features:
        - import: kernel32.CreateFileW
  features: |
    func: 0x401000
     bb: 0x401000: basic block
      insn: 0x401000: mnemonic(mov)
    file: 0x401000: import(kernel32.CreateFileW)
  expect:
    matches:
      file-import:
        - "no address"

- name: basic-block-scope-match
  description: basic block scope matches when a single BB contains all required features
  rules:
    - name: bb-both
      scopes:
        static: basic block
      features:
        - and:
            - mnemonic: mov
            - mnemonic: add
  features: |
    func: 0x401000
     bb: 0x401000: basic block
      insn: 0x401000: mnemonic(mov)
      insn: 0x401002: mnemonic(add)
     bb: 0x401010: basic block
      insn: 0x401010: mnemonic(xor)
  expect:
    matches:
      bb-both:
        - 0x401000

- name: instruction-scope-multiple-matches
  description: instruction scope reports multiple matching instructions
  rules:
    - name: insn-multi
      scopes:
        static: instruction
      features:
        - mnemonic: mov
  features: |
    func: 0x401000
     bb: 0x401000: basic block
      insn: 0x401000: mnemonic(mov)
      insn: 0x401002: mnemonic(add)
      insn: 0x401004: mnemonic(mov)
  expect:
    matches:
      insn-multi:
        - 0x401000
        - 0x401004