-
Notifications
You must be signed in to change notification settings - Fork 34
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Port malcontent to YARA-X #227
Comments
Looks like this will be a pre-req for working with Yara-X. I ran into issues running
to avoid using
|
Ouch. With this change, it sounds like we'd be taking on two large dependencies that we didn't have before. I think that we should save this change for a little while - at least until YARA-X is available in homebrew and the mainstream Linux distros. Closing this for now - but I expect we'll likely resurrect it by the end of the year. |
Found an example of Yara-X usage in Go: https://github.com/zz1gg/threatchecker/blob/main/utils/yara_x.go and used it as a reference for a very WIP feature branch. There's a way to ignore modules when compiling rules but it doesn't seem like we get much control over warnings or errors like we do with the current package. Aside from that, it looks like most everything else should be accessible except for Tags which don't seem to be a concept with Yara-X (at least as of version |
@tstromberg it's in homebrew now (https://github.com/Homebrew/homebrew-core/blob/HEAD/Formula/y/yara-x.rb) |
That's great news! @egibs has also been working on upstream patches that should soon make it possible to port malcontent to YARA-X. |
Yep -- there were two missing features that we rely on in
Once those are officially released, we can start working on moving everything over*.
|
YARA now has official Go bindings:
https://virustotal.github.io/yara-x/blog/yara-is-dead-long-live-yara-x/
There are only 2-3 calls into the existing library we use - https://github.com/hillu/go-yara - but I'm sure the data structure it returns has some differences that will need to be resolved.
Here's where I would start making the change:
https://github.com/chainguard-dev/bincapz/blob/996ba4c2c19d42694937f9b50af3bbc74b2ca3af/pkg/compile/compile.go#L59
This function, which converts YARA results into an internal FileReport struct will also need changes:
https://github.com/chainguard-dev/bincapz/blob/996ba4c2c19d42694937f9b50af3bbc74b2ca3af/pkg/report/report.go#L275
The text was updated successfully, but these errors were encountered: