add "capa diff" to compare capability deltas between two samples

[akshat4703]

Comparing two binaries with capa currently requires manual output comparison. For malware variant analysis and regression checks, this is slow and easy to get wrong.

Could we add a capa diff workflow that compares two samples (or two JSON outputs) and reports capabilities that were added/removed, with optional ATT&CK/MBC deltas when available? A v1 could focus on normalized capability-name deltas only, with text and JSON output.

Example UX:

• capa diff old.bin new.bin
• capa diff old.json new.json --from-json

[williballenthin]

i think this is a nice illustration of the things you can do with capa, though it shouldn't live in the main executable. perhaps you can add it under ./scripts?

[akshat4703]

i think this is a nice illustration of the things you can do with capa, though it shouldn't live in the main executable. perhaps you can add it under ./scripts?

ok will be opening a pr related to it.

[akshat4703]

i think this is a nice illustration of the things you can do with capa, though it shouldn't live in the main executable. perhaps you can add it under ./scripts?

ok will be opening a pr related to it.

#2959