Exception from NetworkX: None cannot be a node

[gmacon]

Description

I've been running Capa over some large collections of binaries and am noticing lots of failures with a traceback coming from NetworkX.

Steps to Reproduce

1. Download the Marcelli et al. dataset following their instructions.
2. capa --json Dataset-1/clamav/x86-gcc-5-O0_clambc >x86-gcc-5-O0_clambc.json (or some other file)

Expected behavior:

JSON capabilities output in the .json file or else a clean error message explaining why this file isn't supported.

Actual behavior:

Capa crashes with this traceback

Traceback (most recent call last):
  File "/nix/store/3zgh57d660jvxv72pxmg48ydgqb2cf92-flare-capa-4.0.1/bin/.capa-wrapped", line 9, in <module>
    sys.exit(main())
             ^^^^^^
  File "/nix/store/3zgh57d660jvxv72pxmg48ydgqb2cf92-flare-capa-4.0.1/lib/python3.11/site-packages/capa/main.py", line 1120, in main
    capabilities, counts = find_capabilities(rules, extractor, disable_progress=args.quiet)
                           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/nix/store/3zgh57d660jvxv72pxmg48ydgqb2cf92-flare-capa-4.0.1/lib/python3.11/site-packages/capa/main.py", line 270, in find_capabilities
    function_matches, bb_matches, insn_matches, feature_count = find_code_capabilities(ruleset, extractor, f)
                                                                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/nix/store/3zgh57d660jvxv72pxmg48ydgqb2cf92-flare-capa-4.0.1/lib/python3.11/site-packages/capa/main.py", line 208, in find_code_capabilities
    for feature, va in itertools.chain(extractor.extract_function_features(fh), extractor.extract_global_features()):
  File "/nix/store/3zgh57d660jvxv72pxmg48ydgqb2cf92-flare-capa-4.0.1/lib/python3.11/site-packages/capa/features/extractors/viv/extractor.py", line 55, in extract_function_features
    yield from capa.features.extractors.viv.function.extract_features(fh)
  File "/nix/store/3zgh57d660jvxv72pxmg48ydgqb2cf92-flare-capa-4.0.1/lib/python3.11/site-packages/capa/features/extractors/viv/function.py", line 74, in extract_features
    for feature, addr in func_handler(fh):
  File "/nix/store/3zgh57d660jvxv72pxmg48ydgqb2cf92-flare-capa-4.0.1/lib/python3.11/site-packages/capa/features/extractors/viv/function.py", line 59, in extract_function_loop
    if edges and loops.has_loop(edges):
                 ^^^^^^^^^^^^^^^^^^^^^
  File "/nix/store/3zgh57d660jvxv72pxmg48ydgqb2cf92-flare-capa-4.0.1/lib/python3.11/site-packages/capa/features/extractors/loops.py", line 24, in has_loop
    g.add_edges_from(edges)
  File "/nix/store/1ia7j9yn81c1wxrcb9p8wxgivqaivqy9-python3.11-networkx-3.1/lib/python3.11/site-packages/networkx/classes/digraph.py", line 785, in add_edges_from
    raise ValueError("None cannot be a node")
ValueError: None cannot be a node

Versions

❯ /nix/store/4fp5f0ir3wkj2dklc8pjgmkv3hy11vm9-flare-capa-4.0.1/bin/capa --version
capa 4.0.1

On Linux with nixpkgs. I had to write a derivation to package capa, I'm happy to share that if you need it. I'm pulling this repo at tag v4.0.1 and the capa-rules repo at tag v4.0.1 for this.

Python 3.11.5, also from nixpkgs

Additional Information

[mr-tz]

Thanks for the detailed report! Would you be able to share a failing sample or it's hash (for a sample available on VirusTotal)? This would help me debug this a bit faster.

[gmacon]

Here you go: x86-gcc-5-O0_clambc.gz

Edit: it's compressed because github wouldn't accept the uncompressed verison.

[mr-tz]

capa v6.1.0 seems to work fine on the sample (there's no exception).

Can you use a newer capa version or try to update networkx?

[gmacon]

My nix-packaged capa v6.1.0 failed with a different error, but v6.0.0 is working. I'll open new issues for the additional things I found.

[gmacon]

I only opened one issue: #1886. The other problem I ran into is because of mismatched dependency versions in my derivation, so there's nothing for this project to do about that.

[mr-tz]

Thanks!