Merge pull request #686 from fireeye/fix/531

add additional filter logic when displaying capa matches by function
2025-12-12 15:49:46 -08:00 · 2021-07-27 08:48:35 -06:00
parent 8b572dc63f 874dffc13f
commit a1b3703a0d
2 changed files with 12 additions and 4 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -18,6 +18,8 @@

 ### capa explorer IDA Pro plugin

+- explorer: add additional filter logic when displaying matches by function #686 @mike-hunhoff
+
 ### Development

 ### Raw diffs
--- a/capa/ida/plugin/model.py
+++ b/capa/ida/plugin/model.py
@@ -435,12 +435,18 @@ class CapaExplorerDataModel(QtCore.QAbstractItemModel):
            for ea in rule["matches"].keys():
                ea = capa.ida.helpers.get_func_start_ea(ea)
                if ea is None:
-                    # file scope, skip for rendering in this mode
+                    # file scope, skip rendering in this mode
                    continue
-                if None is matches_by_function.get(ea, None):
-                    matches_by_function[ea] = CapaExplorerFunctionItem(self.root_node, ea, can_check=False)
+                if not matches_by_function.get(ea, ()):
+                    # new function root
+                    matches_by_function[ea] = (CapaExplorerFunctionItem(self.root_node, ea, can_check=False), [])
+                function_root, match_cache = matches_by_function[ea]
+                if rule["meta"]["name"] in match_cache:
+                    # rule match already rendered for this function root, skip it
+                    continue
+                match_cache.append(rule["meta"]["name"])
                CapaExplorerRuleItem(
-                    matches_by_function[ea],
+                    function_root,
                    rule["meta"]["name"],
                    rule["meta"].get("namespace"),
                    len(rule["matches"]),