Merge branch 'VirusTotal:main' into macho-import-parsing

VirusTotal · Jun 30, 2024 · 1aa2cfb · 1aa2cfb
2 parents 453fbb2 + 2c5fdd9
commit 1aa2cfb
Show file tree

Hide file tree

Showing 9 changed files with 96 additions and 70 deletions.
diff --git a/.github/workflows/golang.yaml b/.github/workflows/golang.yaml
@@ -14,7 +14,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        go-version: [ '1.19', '1.20', '1.21.x' ]
+        go-version: [ '1.19', '1.20', '1.21.x', '1.22.x' ]
         os: [ ubuntu-latest, macos-latest ]
     runs-on: ${{ matrix.os }}
     steps:

diff --git a/.github/workflows/python.yaml b/.github/workflows/python.yaml
@@ -14,7 +14,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        python-version: [ 3.8, 3.9, "3.10", "3.11" ]
+        python-version: [ "3.8", "3.9", "3.10", "3.11", "3.12" ]
         os: [ ubuntu-latest, macos-latest, windows-latest ]
     runs-on: ${{ matrix.os }}
     steps:
@@ -34,7 +34,7 @@ jobs:
         python -m pip install pytest
         maturin develop --manifest-path py/Cargo.toml
         pytest py
-    
+
     # Non-windows
     - name: Test Python - Non-Windows
       if: runner.os != 'Windows'

diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -1,5 +1,5 @@
 [workspace.package]
-version = "0.4.0"
+version = "0.5.0"
 authors = ["Victor M. Alvarez <[email protected]>"]
 edition = "2021"
 homepage = "https://github.com/VirusTotal/yara-x"
@@ -31,7 +31,7 @@ resolver = "2"
 
 [workspace.dependencies]
 aho-corasick = "1.1.3"
-annotate-snippets = "0.11.2"
+annotate-snippets = "0.11.4"
 anyhow = "1.0.86"
 array-bytes = "6.2.3"
 ascii_tree = "0.1.1"
@@ -42,8 +42,8 @@ bitvec = "1.0.1"
 bstr = "1.9.1"
 cbindgen = "0.26.0"
 chrono = "0.4.38"
-clap = "4.5.4"
-clap_complete = "4.5.2"
+clap = "4.5.7"
+clap_complete = "4.5.7"
 const-oid = "0.9.6"
 crc32fast = "1.4.2"
 der-parser = "9.0.0"
@@ -62,13 +62,13 @@ intaglio = "1.9.1"
 itertools = "0.13.0"
 lazy_static = "1.4.0"
 line-span = "0.1.5"
-linkme = "0.3.26"
-log = "0.4.21"
+linkme = "0.3.27"
+log = "0.4.22"
 magic = "0.16.2"
 md2 = "0.10.2"
 md-5 = "0.10.6"
-memchr = "2.7.2"
-memx = "0.1.30"
+memchr = "2.7.4"
+memx = "0.1.32"
 nom = "7.1.3"
 num-traits = "0.2.19"
 num-derive = "0.4.2"
@@ -83,8 +83,8 @@ protobuf-json-mapping = "3.5.0"
 protobuf-parse = "3.5.0"
 protobuf-support = "3.5.0"
 rayon = "1.10.0"
-regex-syntax = "0.8.3"
-regex-automata = "0.4.6"
+regex-syntax = "0.8.4"
+regex-automata = "0.4.7"
 roxmltree = "0.20.0"
 rsa = "0.9.6"
 rustc-hash = "2.0.0"
@@ -104,11 +104,11 @@ x509-parser = "0.16.0"
 yaml-rust = "0.4.5"
 yansi = "1.0.1"
 yara-x = { path = "lib" }
-yara-x-fmt = { path = "fmt", version = "0.4.0" }
-yara-x-macros = { path = "macros", version = "0.4.0" }
-yara-x-parser = { path = "parser", version = "0.4.0" }
-yara-x-proto = { path = "proto", version = "0.4.0" }
-yara-x-proto-yaml = { path = "proto-yaml", version = "0.4.0" }
+yara-x-fmt = { path = "fmt", version = "0.5.0" }
+yara-x-macros = { path = "macros", version = "0.5.0" }
+yara-x-parser = { path = "parser", version = "0.5.0" }
+yara-x-proto = { path = "proto", version = "0.5.0" }
+yara-x-proto-yaml = { path = "proto-yaml", version = "0.5.0" }
 zip = "2.1.1"
 
 # Special profile that builds a release binary with link-time optimization.

diff --git a/go/compiler_test.go b/go/compiler_test.go
@@ -42,7 +42,7 @@ func TestRelaxedReSyntax(t *testing.T) {
 
 func TestErrorOnSlowPattern(t *testing.T) {
 	_, err := Compile(`
-		rule test { strings: $a = /a.*b/ condition: $a }`,
+		rule test { strings: $a = /a.*/ condition: $a }`,
 		ErrorOnSlowPattern(true))
 	assert.Error(t, err)
 }
@@ -107,7 +107,7 @@ func TestVariables(t *testing.T) {
 
 func TestError(t *testing.T) {
 	_, err := Compile("rule test { condition: foo }")
-	assert.EqualError(t, err, `error: unknown identifier `+"`foo`"+`
+	assert.EqualError(t, err, `error[E107]: unknown identifier `+"`foo`"+`
  --> line:1:24
   |
 1 | rule test { condition: foo }

diff --git a/lib/src/scanner/context.rs b/lib/src/scanner/context.rs
@@ -58,8 +58,10 @@ pub(crate) struct ScanContext<'r> {
     /// `matching_rules` map, and then moved to this vector once the scan
     /// finishes.
     pub private_matching_rules: Vec<RuleId>,
-    /// Map containing the IDs of rules that matched.
-    pub matching_rules: FxHashMap<NamespaceId, Vec<RuleId>>,
+    /// Map containing the IDs of rules that matched. Using an `IndexMap`
+    /// because we want to keep the insertion order, so that rules in
+    /// namespaces that were declared first, appear first in scan results.
+    pub matching_rules: IndexMap<NamespaceId, Vec<RuleId>>,
     /// Compiled rules for this scan.
     pub compiled_rules: &'r Rules,
     /// Structure that contains top-level symbols, like module names

diff --git a/lib/src/scanner/mod.rs b/lib/src/scanner/mod.rs
@@ -151,7 +151,7 @@ impl<'r> Scanner<'r> {
                 scanned_data_len: 0,
                 private_matching_rules: Vec::new(),
                 non_private_matching_rules: Vec::new(),
-                matching_rules: FxHashMap::default(),
+                matching_rules: IndexMap::new(),
                 main_memory: None,
                 module_outputs: FxHashMap::default(),
                 user_provided_module_outputs: FxHashMap::default(),
@@ -1020,7 +1020,7 @@ impl<'a, 'r> Metadata<'a, 'r> {
     ///   condition:
     ///     true
     /// }
-    /// "#).unwrap();     
+    /// "#).unwrap();
     ///
     /// let mut scanner = yara_x::Scanner::new(&rules);
     ///