render: don't assume prior matches exist within thread (#2612)

mike-hunhoff · web-flow · commit 7ecf2920956b · 2025-03-03T17:49:03.000-07:00
* render: don't assume prior matches exist within thread

* update CHANGELOG

* update comments
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -17,6 +17,7 @@
 - only parse CAPE fields required for analysis @mike-hunhoff #2607
 - main: render result document without needing associated rules @williballenthin #2610
 - vmray: only verify process OS and monitor IDs match @mike-hunhoff #2613
+- render: don't assume prior matches exist within a thread @mike-hunhoff #2612
 
 ### capa Explorer Web
 
diff --git a/capa/render/result_document.py b/capa/render/result_document.py
@@ -418,8 +418,9 @@ def from_capa(
                                     and a.id <= location.id
                                 ]
                             )
-                            _, most_recent_match = matches_in_thread[-1]
-                            children.append(Match.from_capa(rules, capabilities, most_recent_match))
+                            if matches_in_thread:
+                                _, most_recent_match = matches_in_thread[-1]
+                                children.append(Match.from_capa(rules, capabilities, most_recent_match))
 
                     else:
                         children.append(Match.from_capa(rules, capabilities, rule_matches[location]))
@@ -478,8 +479,11 @@ def from_capa(
                                             and a.id <= location.id
                                         ]
                                     )
-                                    _, most_recent_match = matches_in_thread[-1]
-                                    children.append(Match.from_capa(rules, capabilities, most_recent_match))
+                                    # namespace matches may not occur within the same thread as the result, so only
+                                    # proceed if a match within the same thread is found
+                                    if matches_in_thread:
+                                        _, most_recent_match = matches_in_thread[-1]
+                                        children.append(Match.from_capa(rules, capabilities, most_recent_match))
                             else:
                                 if location in rule_matches:
                                     children.append(Match.from_capa(rules, capabilities, rule_matches[location]))

Original file line number	Diff line number	Diff line change
`@@ -418,8 +418,9 @@ def from_capa(`
`418`	`418`	`and a.id <= location.id`
`419`	`419`	`]`
`420`	`420`	`)`
`421`		`- _, most_recent_match = matches_in_thread[-1]`
`422`		`- children.append(Match.from_capa(rules, capabilities, most_recent_match))`
	`421`	`+ if matches_in_thread:`
	`422`	`+ _, most_recent_match = matches_in_thread[-1]`
	`423`	`+ children.append(Match.from_capa(rules, capabilities, most_recent_match))`
`423`	`424`
`424`	`425`	`else:`
`425`	`426`	`children.append(Match.from_capa(rules, capabilities, rule_matches[location]))`
`@@ -478,8 +479,11 @@ def from_capa(`
`478`	`479`	`and a.id <= location.id`
`479`	`480`	`]`
`480`	`481`	`)`
`481`		`- _, most_recent_match = matches_in_thread[-1]`
`482`		`- children.append(Match.from_capa(rules, capabilities, most_recent_match))`
	`482`	`+ # namespace matches may not occur within the same thread as the result, so only`
	`483`	`+ # proceed if a match within the same thread is found`
	`484`	`+ if matches_in_thread:`
	`485`	`+ _, most_recent_match = matches_in_thread[-1]`
	`486`	`+ children.append(Match.from_capa(rules, capabilities, most_recent_match))`
`483`	`487`	`else:`
`484`	`488`	`if location in rule_matches:`
`485`	`489`	`children.append(Match.from_capa(rules, capabilities, rule_matches[location]))`