update cape

.actrc

@@ -0,0 +1,5 @@
+ # Nektos act runs tests as root. Without this environment variable
+ # being set, CAPE exits at line 10 of web/web/settings.py,
+ # and no tests are run.
+
+ --env CAPE_AS_ROOT=1

.github/actions/python-setup/action.yml

@@ -0,0 +1,30 @@
+name: 'Python setup steps that can be reused'
+description: 'Install dependencies, poetry, requirements'
+inputs:
+  python-version:
+    required: true
+    description: The python version
+
+runs:
+  using: "composite"
+  steps:
+    - name: Install dependencies
+      if: ${{ runner.os == 'Linux' }}
+      shell: bash
+      run: |
+        sudo apt update && sudo apt-get install -y --no-install-recommends libxml2-dev libxslt-dev python3-dev libgeoip-dev ssdeep libfuzzy-dev p7zip-full innoextract unrar upx
+
+    - name: Install poetry
+      shell: bash
+      run: pip install poetry
+
+    - name: Set up Python ${{ inputs.python-version }}
+      uses: actions/setup-python@v5
+      with:
+        python-version: ${{ inputs.python-version }}
+        cache: 'poetry'
+
+    - name: Install requirements
+      shell: bash
+      run: |
+        poetry install --no-interaction --no-root

.github/workflows/export-requirements.yml

@@ -9,21 +9,22 @@ on:
 
 jobs:
   update:
+    if: ${{ !github.event.act }} # skip during local actions testing
     runs-on: ubuntu-latest
     timeout-minutes: 5
     strategy:
       matrix:
-        python-version: ["3.8"]
+        python-version: ["3.10"]
 
     steps:
       - name: Check out repository code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Install poetry
         run: pip install poetry
 
       - name: Set up Python ${{ matrix.python-version }}
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@v5
         with:
           # check-latest: true
           python-version: ${{ matrix.python-version }}
@@ -33,6 +34,8 @@ jobs:
         run: poetry export --format requirements.txt --output requirements.txt
 
       - name: Commit changes if any
+        # Skip this step if being run by nektos/act
+        if: ${{ !env.ACT }}
         run: |
           git config user.name "GitHub Actions"
           git config user.email "[email protected]"

.github/workflows/pip-audit.yml

@@ -10,12 +10,12 @@ jobs:
     timeout-minutes: 20
     strategy:
       matrix:
-        python-version: ["3.8"]
+        python-version: ["3.10"]
 
     steps:
       - name: Check out repository code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
-      - uses: pypa/[email protected].0
+      - uses: pypa/[email protected].8
         with:
           inputs: requirements.txt

.github/workflows/python-package-windows.yml

@@ -0,0 +1,43 @@
+name: Python tests on windows
+
+env:
+  COLUMNS: 120
+
+on:
+  push:
+    branches: [ master, staging ]
+  pull_request:
+    branches: [ master, staging ]
+
+jobs:
+  test:
+    runs-on: windows-latest
+    timeout-minutes: 20
+    strategy:
+      matrix:
+        python-version: ["3.10", "3.11"]
+
+    steps:
+      - name: Check out repository code
+        uses: actions/checkout@v4
+
+      - name: Set up Python ${{ matrix.python-version }}
+        uses: actions/setup-python@v5
+        # Use x86 python because of https://github.com/kevoreilly/CAPEv2/issues/168
+        with:
+          python-version: ${{ matrix.python-version }}
+          cache: 'pip'
+          architecture: 'x86'
+
+      - name: Install dependencies
+        run: pip install --upgrade pytest requests
+
+      - name: Run analyzer unit tests
+        run: |
+          cd analyzer/windows
+          pytest -v .
+
+      - name: Run agent unit tests
+        run: |
+          cd agent
+          pytest -v .

.github/workflows/python-package.yml

@@ -15,85 +15,61 @@ jobs:
     timeout-minutes: 20
     strategy:
       matrix:
-        python-version: ["3.8", "3.11"]
-
+        python-version: ["3.10", "3.11"]
     steps:
       - name: Check out repository code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           submodules: recursive
 
       - name: Checkout test files repo
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           repository: CAPESandbox/CAPE-TestFiles
           path: tests/data/
 
-      - name: Install dependencies
-        run: |
-          sudo apt update && sudo apt-get install libxml2-dev libxslt-dev python3-dev libgeoip-dev ssdeep libfuzzy-dev p7zip-full innoextract unrar upx
-
-      - name: Install poetry
-        run: pip install poetry
-
-      - name: Set up Python ${{ matrix.python-version }}
-        uses: actions/setup-python@v4
+      - uses: ./.github/actions/python-setup/
         with:
-          # check-latest: true
           python-version: ${{ matrix.python-version }}
-          cache: 'poetry'
-      - name: Install requirements
-        if: steps.cached-poetry-dependencies.outputs.cache-hit != 'true'
+
+      - name: Install pyattck
         run: |
-          poetry install --no-interaction --no-root
+          poetry run pip install pyattck==7.1.2
 
       - name: Run Ruff
         run: poetry run ruff . --line-length 132 --ignore E501,E402
 
       - name: Run unit tests
         run: poetry run python -m pytest --import-mode=append
 
-      # Test parsers only if any parser changed
-      - uses: dorny/paths-filter@v2
+      - name: See if any parser changed
+        uses: dorny/paths-filter@v3
         id: changes
         with:
           filters: |
             src:
               - 'modules/processing/parsers/CAPE/*.py'
 
-      - if: steps.changes.outputs.src == 'true'
+      - name: Test parsers only if any parser changed
+        if: steps.changes.outputs.src == 'true'
         run: poetry run python -m pytest tests_parsers -s --import-mode=append
 
-  # Todo unify in future
   format:
     runs-on: ubuntu-latest
     timeout-minutes: 20
     strategy:
       matrix:
-        python-version: ["3.8", "3.11"]
+        python-version: ["3.10", "3.11"]
     if: ${{ github.ref == 'refs/heads/master' }}
 
     steps:
       - name: Check out repository code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
-      - name: Install dependencies
-        run: |
-          sudo apt-get install libxml2-dev libxslt-dev python3-dev libgeoip-dev ssdeep libfuzzy-dev
-
-      - name: Install poetry
-        run: pip install poetry
-
-      - name: Set up Python ${{ matrix.python-version }}
-        uses: actions/setup-python@v4
+      - name: Set up python
+        uses: ./.github/actions/python-setup
         with:
-          check-latest: true
           python-version: ${{ matrix.python-version }}
-          cache: 'poetry'
-      - name: Install requirements
-        if: steps.cached-poetry-dependencies.outputs.cache-hit != 'true'
-        run: |
-          poetry install --no-interaction --no-root
 
       - name: Format with black
         run: poetry run black .
@@ -103,6 +79,8 @@ jobs:
         run: poetry run isort .
 
       - name: Commit changes if any
+        # Skip this step if being run by nektos/act
+        if: ${{ !env.ACT }}
         run: |
           git config user.name "GitHub Actions"
           git config user.email "[email protected]"

.github/workflows/yara-audit.yml

@@ -10,29 +10,21 @@ jobs:
     timeout-minutes: 20
     strategy:
       matrix:
-        python-version: ["3.8"]
+        python-version: ["3.10"]
 
     steps:
       - name: Check out repository code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
-      - name: Install dependencies
-        run: |
-          sudo apt-get install libxml2-dev libxslt-dev python3-dev libgeoip-dev ssdeep libfuzzy-dev
-
-      - name: Install poetry
-        run: pip install poetry
+      - name: Checkout test files repo
+        uses: actions/checkout@v4
+        with:
+          repository: CAPESandbox/CAPE-TestFiles
+          path: tests/data/
 
-      - name: Set up Python ${{ matrix.python-version }}
-        uses: actions/setup-python@v4
+      - uses: ./.github/actions/python-setup/
         with:
-          # check-latest: true
           python-version: ${{ matrix.python-version }}
-          cache: 'poetry'
-      - name: Install requirements
-        if: steps.cached-poetry-dependencies.outputs.cache-hit != 'true'
-        run: |
-          poetry install --no-interaction --no-root
 
       - name: Install dependencies
         run: |

.gitignore

@@ -21,3 +21,4 @@ tests/test_bson.bson.compressed
 *~
 
 installer/cape-config.sh
+installer/kvm-config.sh

.pre-commit-config.yaml

@@ -16,6 +16,12 @@ repos:
   #   hooks:
   #     - id: pyproject-flake8
 
+  - repo: https://github.com/astral-sh/ruff-pre-commit
+    rev: v0.3.0
+    hooks:
+      - id: ruff
+        args: [ --fix ]
+
   - repo: https://github.com/psf/black
     rev: 22.3.0
     hooks:

.readthedocs.yaml

@@ -8,11 +8,7 @@ version: 2
 build:
   os: ubuntu-22.04
   tools:
-    python: "3.11"
-    # You can also specify other tool versions:
-    # nodejs: "20"
-    # rust: "1.70"
-    # golang: "1.20"
+    python: "3.12"
 
 # Build documentation in the "docs/" directory with Sphinx
 sphinx:
@@ -27,9 +23,6 @@ sphinx:
 #    - pdf
 #    - epub
 
-# Optional but recommended, declare the Python requirements required
-# to build your documentation
-# See https://docs.readthedocs.io/en/stable/guides/reproducible-builds.html
-# python:
-#    install:
-#    - requirements: docs/requirements.txt
+python:
+  install:
+    - requirements: docs/requirements.txt

.yara-ci.yml

@@ -1,7 +1,6 @@
 files:
   accept:
   - "data/yara/**.yar"
-  - "analyzer/windows/data/yara/*.yar"
 
 false_positives:
   ignore:
@@ -10,3 +9,4 @@ false_positives:
     - rule: "NSIS"
     - rule: "UPX"
     - rule: "Syscall"
+    - rule: "FormhookB"

LICENSE

@@ -658,3 +658,7 @@ License, Version 2.0.
 The files bootstrap.min.js, bootstrap.min.css, bootstrap-responsive.min.css,
 glyphicons-halflings.png, glyphicons-halflings-white.png are copyrighted by Twitter, Inc.
 and licensed under the Apache License, Version 2.0.
+
+The file analyzer/windows/modules/amsi.py uses parts of pywintrace
+(https://github.com/fireeye/pywintrace), which is copyrighted by FireEye, Inc. and licensed
+under the Apache License, Version 2.0.