internal-dotnet-file-limitation.yml: make it valid for static scope too

[williballenthin]

ref mandiant/capa#2591

[mike-hunhoff]

With this change, capa will print the description and force users to run capa with >= -v option for every .NET file that it analyzes statically:

      This dynamic analysis trace describes a .NET file.

      capa rules are not yet tuned for the .NET runtime, 
      so its analysis may be incomplete or misleading.

This is confusing on two fronts:

• This dynamic analysis trace describes a .NET file. could confuse users attempting to analyze a .NET file statically
• capa rules are not yet tuned for the .NET runtime isn't true for static analysis as capa has a robust set of .NET rules and we don't want to turn users away from using capa to process .NET files statically.

@williballenthin I agree with your comments in mandiant/capa#2591 (comment) that a proper fix likely requires many changes. Unfortunately, I think our best option at this time is to exclude this rule until we have time to implement these changes.

[williballenthin]

With this change, capa will print the description and force users to run capa with >= -v option for every .NET file that it analyzes statically:

Thanks for calling this out. That wasn't my intention for the logic of capa and the dynamic limitations. These dynamic limitations should only be used to warn users during dynamic analysis.

@v1bh475u would you reproduce this behavior on your side and open a new PR to ensure these rules aren't used to warn for samples in the wrong analysis mode.

@mike-hunhoff agree that in the short term we can remove the dynamic .NET rule

[williballenthin]

@mike-hunhoff are you sure about this? when i run locally in static mode, there's not a warning about .NET files:

[mike-hunhoff]

@mike-hunhoff are you sure about this? when i run locally in static mode, there's not a warning about .NET files:

Ah, I guess you're correct that the limitation isn't highlighted because of these checks: https://github.com/mandiant/capa/blob/5467fac1a57c094b6dd466e1c361bcb7f12dd340/capa/main.py#L1001-L1005. However, the rule is matched and displayed in my local instance, which isn't great but not show stopping:

┌───────────┬──────────────────────────────────────────────────────────────────────────────────────┐
│ md5       │ dd9098ff91717f4906afe9dafdfa2f52                                                     │
│ sha1      │ 4201c1e724536dfb937e03d101d565e031f7037d                                             │
│ sha256    │ ba47b6f560171cda711b43248685582166ef72521f8808ddc6cd1d9d146f9b86                     │
│ analysis  │ static                                                                               │
│ os        │ any                                                                                  │
│ format    │ dotnet                                                                               │
│ arch      │ any                                                                                  │
│ path      │ /home/spring/Documents/capa/tests/data/dotnet/dd9098ff91717f4906afe9dafdfa2f52.exe_  │
└───────────┴──────────────────────────────────────────────────────────────────────────────────────┘
┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ MBC Objective                                         ┃ MBC Behavior                             ┃
┡━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┩
│ OPERATING SYSTEM                                      │ Console [C0033]                          │
└───────────────────────────────────────────────────────┴──────────────────────────────────────────┘
┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ Capability                                             ┃ Namespace                               ┃
┡━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┩
│ manipulate console buffer (7 matches)                  │ host-interaction/console                │
│ (internal) .NET file limitation                        │ internal/limitation/dynamic             │
│ compiled to the .NET platform                          │ runtime/dotnet                          │
└────────────────────────────────────────────────────────┴─────────────────────────────────────────┘

[v1bh475u]

Sure. Will start working on it!

[v1bh475u]

The issue is there are rigid matches for static file limitations, but for dynamic dotnet limitations, I couldn't find any firm constraints. Do you have any suggestions? @mike-hunhoff @williballenthin

[williballenthin]

@mike-hunhoff

However, the rule is matched and displayed in my local instance, which isn't great but not show stopping

This is fixed in the pending #2592, where we now hide any internal rule from the default output (but will show it during vverbose, which isn't great but probably fine enough).

@v1bh475u we cleared up the confusion and i don't think is any action needed by you right now, sorry!