search

mandiant / capa

The FLARE team's open-source tool to identify capabilities in executable files.
https://mandiant.github.io/capa/
Apache License 2.0
4.85k stars 558 forks source link

sigs folder missing from package installation dir #682

Open Antelox opened 3 years ago

Antelox commented 3 years ago

Description

With version 2.0.0 (installed via pip) when running capa with no signatures argument it reports an error and exit. The issue seems to be in get_default_signatures method which tries to get the sigs folder from the package installation dir but which is missing.

Steps to Reproduce

1 . Run capa with no -s argument

Expected behavior:

Run with the default signatures and continue without exiting.

Actual behavior:

It runs, report the error below and exit.

ERROR:capa:signatures path %REDACTED%/env/lib/python3.9/site-packages/capa/../sigs does not exist or cannot be accessed

Versions

2.0.0

mr-tz commented 3 years ago

Yes, this is definitely not the most user-friendly behavior but when installing via pip no rules or signatures are installed.

For now you'll have to provide the sigs directory manually.

See the note here https://github.com/fireeye/capa/blob/master/doc/installation.md#note

Antelox commented 3 years ago

I see, perhaps if no sigs, just continue and don't use them rather exit? Does this make sense?

williballenthin commented 3 years ago

thats a good idea.

we should also try to detect when installed via pip and show a warning and explain how to fix the situation.

mr-tz commented 1 year ago

Should we package the signatures like done in https://github.com/mandiant/flare-floss/pull/578?