read and render results document

[mr-tz]

when wanting to display different output modes, e.g. plain or verbose, the whole program needs to run again. this can be a bit slow, since capa needs to re-analyze the binary, extract features, do the matching, etc. with the results document saved by the user, we could also take that as an input and render per the specified arguments.

the flow would look like this:

1. user invokes capa with --json option and directs the output to a file, like capa foo.exe --json > foo.json
2. user invokes capa against the json file instead of the sample, like capa foo.json -v and capa foo.json -vv

i dont think we want to introduce any more cli options than we have to, so lets use output redirection for writing the json to a file. we could add a new --format= option like --format=result to indicate to capa that the input file is a result document, like capa --format=result foo.json. and/or, we could autodetect when the input file appears to be a result document json and just do the right thing. we could autodetect by noticing the content is json, has some strings we expect, and decodes correctly into a result document.

once we have a result document loaded, then the output behavior here shouldn't have to change.

uses cases for this would be:

• rule dev
• results exploration

this will require a bit of refactoring so let's agree if this is worth it and how to do it, first.

[williballenthin]

rendering an existing results document is a great idea!

[ggold7046]

Could you please explain it a bit more and guide me how to do it ?

[mr-tz]

For the rendering of an existing result document (JSON), we'll have to:

• find a good way to provide the result file to capa
• render the loaded results per the arguments

[ooprathamm]

@williballenthin is adding a new format FORMAT_RESULT a correct approach as by this we can reuse args.sample to accept json file as cited by @mr-tz ,and rather than --format=result we can just compare the initial buf.read of the file to be {"meta": to ensure its a results.json file

[mr-tz]

Yes, an explicit new FORMAT and auto-detection via the first few bytes (and subquential successful loading) sound great.

[EmperialX]

Hi @mr-tz -tz ,I would like to work on fixing issue. I would appreciate your guidance as I work on this issue. Let me know if you have any suggestions or guidance on how I can get started. Thank you!

[williballenthin]

No, @ooprathamm is working on this in #1396 so let’s follow their work and lend a hand if they ask for help. Otherwise, is feature is already being addressed.