vverbose: fix rendering of span-of-calls summaries

#2532 (comment)
mandiant · Jan 20, 2025 · a387030 · a387030
1 parent 7b3bf0d
commit a387030
Showing 1 changed file with 15 additions and 21 deletions.
diff --git a/capa/render/vverbose.py b/capa/render/vverbose.py
@@ -320,33 +320,27 @@ def collect_span_of_calls_locations(
     Find all the call locations used in a given span-of-calls match, recursively.
     Useful to collect the events used to match a span-of-calls scoped rule.
     """
-    if isinstance(match.node, rd.StatementNode):
-        if (
-            isinstance(match.node.statement, rd.CompoundStatement)
-            and match.node.statement.type == rd.CompoundStatementType.NOT
-        ):
-            child_mode = MODE_FAILURE if mode == MODE_SUCCESS else MODE_SUCCESS
-            for child in match.children:
-                yield from collect_span_of_calls_locations(child, child_mode)
-        elif isinstance(match.node.statement, rd.RangeStatement):
-            for location in match.locations:
-                if location.type not in (frz.AddressType.CALL,):
-                    continue
-                if mode == MODE_FAILURE:
-                    continue
-                yield location
-        else:
-            for child in match.children:
-                yield from collect_span_of_calls_locations(child, mode)
-    elif isinstance(match.node, rd.FeatureNode):
+    if not match.success:
+        return
+
+    if isinstance(match.node, rd.FeatureNode) or isinstance(match.node.statement, rd.RangeStatement):
         for location in match.locations:
-            if location.type not in (frz.AddressType.CALL,):
+            if location.type != frz.AddressType.CALL:
                 continue
+
             if mode == MODE_FAILURE:
+                # only collect positive evidence,
+                # not things that filter out branches.
                 continue
+
             yield location
     else:
-        raise ValueError("unexpected node type")
+        child_mode = mode
+        if match.node.statement.type == rd.CompoundStatementType.NOT:
+            child_mode = MODE_FAILURE if mode == MODE_SUCCESS else MODE_SUCCESS
+
+        for child in match.children:
+            yield from collect_span_of_calls_locations(child, child_mode)
 
 
 def render_rules(console: Console, doc: rd.ResultDocument):