merge upstream

mandiant · Mar 4, 2025 · 6adbf32 · 6adbf32
2 parents 3301307 + 7ecf292
commit 6adbf32
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 4 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -38,6 +38,7 @@ It also includes an updated rule pack in which many dynamic rules make better us
 - only parse CAPE fields required for analysis @mike-hunhoff #2607
 - main: render result document without needing associated rules @williballenthin #2610
 - vmray: only verify process OS and monitor IDs match @mike-hunhoff #2613
+- render: don't assume prior matches exist within a thread @mike-hunhoff #2612
 
 ### Raw diffs
 - [capa v9.0.0...v9.1.0](https://github.com/mandiant/capa/compare/v9.0.0...v9.1.0)

diff --git a/capa/render/result_document.py b/capa/render/result_document.py
@@ -418,8 +418,9 @@ def from_capa(
                                     and a.id <= location.id
                                 ]
                             )
-                            _, most_recent_match = matches_in_thread[-1]
-                            children.append(Match.from_capa(rules, capabilities, most_recent_match))
+                            if matches_in_thread:
+                                _, most_recent_match = matches_in_thread[-1]
+                                children.append(Match.from_capa(rules, capabilities, most_recent_match))
 
                     else:
                         children.append(Match.from_capa(rules, capabilities, rule_matches[location]))
@@ -478,8 +479,11 @@ def from_capa(
                                             and a.id <= location.id
                                         ]
                                     )
-                                    _, most_recent_match = matches_in_thread[-1]
-                                    children.append(Match.from_capa(rules, capabilities, most_recent_match))
+                                    # namespace matches may not occur within the same thread as the result, so only
+                                    # proceed if a match within the same thread is found
+                                    if matches_in_thread:
+                                        _, most_recent_match = matches_in_thread[-1]
+                                        children.append(Match.from_capa(rules, capabilities, most_recent_match))
                             else:
                                 if location in rule_matches:
                                     children.append(Match.from_capa(rules, capabilities, rule_matches[location]))