yara-ffi 3.1.0 → 4.1.0

data/Dockerfile

@@ -1,17 +1,25 @@
-FROM ruby:2.6.6
 
-RUN apt-get update -qq
-RUN apt-get install -y flex bison
+FROM ruby:3.3
+
+RUN apt-get update -qq \
+  && apt-get install -y curl git unzip
 
 WORKDIR /app
 
 COPY . ./
-RUN gem install bundler:2.2.15
-RUN bundle install
+RUN gem install bundler:2.2.15 \
+  && bundle install
+
+# Install Rust and cargo-c for building YARA-X C API
+RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y \
+  && . $HOME/.cargo/env \
+  && cargo install cargo-c
+
+# Build and install YARA-X C API library
+RUN . $HOME/.cargo/env \
+  && git clone --depth 1 --branch v1.5.0 https://github.com/VirusTotal/yara-x.git /tmp/yara-x \
+  && cd /tmp/yara-x \
+  && cargo cinstall -p yara-x-capi --release \
+  && rm -rf /tmp/yara-x
 
-RUN git clone --recursive --branch v4.1.1 https://github.com/VirusTotal/yara.git /tmp/yara && \
-  cd /tmp/yara/ && \
-  ./bootstrap.sh && \
-  ./configure && \
-  make && \
-  make install
+ENV PATH="/usr/local/bin:$PATH"

data/Gemfile.lock

@@ -1,44 +1,59 @@
 PATH
   remote: .
   specs:
-    yara-ffi (3.0.0)
+    yara-ffi (4.1.0)
       ffi
 
 GEM
   remote: https://rubygems.org/
   specs:
-    ast (2.4.2)
+    ast (2.4.3)
     coderay (1.1.3)
-    ffi (1.15.5)
-    method_source (1.0.0)
-    minitest (5.14.4)
-    parallel (1.20.1)
-    parser (3.0.0.0)
+    ffi (1.17.2)
+    ffi (1.17.2-aarch64-linux-gnu)
+    ffi (1.17.2-arm64-darwin)
+    ffi (1.17.2-x86_64-darwin)
+    ffi (1.17.2-x86_64-linux-gnu)
+    json (2.13.2)
+    language_server-protocol (3.17.0.5)
+    lint_roller (1.1.0)
+    method_source (1.1.0)
+    minitest (5.25.5)
+    parallel (1.27.0)
+    parser (3.3.9.0)
       ast (~> 2.4.1)
-    pry (0.14.0)
+      racc
+    prism (1.4.0)
+    pry (0.15.2)
       coderay (~> 1.1)
       method_source (~> 1.0)
-    rainbow (3.0.0)
-    rake (13.0.3)
-    regexp_parser (2.1.1)
-    rexml (3.2.4)
-    rubocop (1.11.0)
+    racc (1.8.1)
+    rainbow (3.1.1)
+    rake (13.3.0)
+    regexp_parser (2.11.2)
+    rubocop (1.79.2)
+      json (~> 2.3)
+      language_server-protocol (~> 3.17.0.2)
+      lint_roller (~> 1.1.0)
       parallel (~> 1.10)
-      parser (>= 3.0.0.0)
+      parser (>= 3.3.0.2)
       rainbow (>= 2.2.2, < 4.0)
-      regexp_parser (>= 1.8, < 3.0)
-      rexml
-      rubocop-ast (>= 1.2.0, < 2.0)
+      regexp_parser (>= 2.9.3, < 3.0)
+      rubocop-ast (>= 1.46.0, < 2.0)
       ruby-progressbar (~> 1.7)
-      unicode-display_width (>= 1.4.0, < 3.0)
-    rubocop-ast (1.4.1)
-      parser (>= 2.7.1.5)
-    ruby-progressbar (1.11.0)
-    unicode-display_width (2.0.0)
+      unicode-display_width (>= 2.4.0, < 4.0)
+    rubocop-ast (1.46.0)
+      parser (>= 3.3.7.2)
+      prism (~> 1.4)
+    ruby-progressbar (1.13.0)
+    unicode-display_width (3.1.5)
+      unicode-emoji (~> 4.0, >= 4.0.4)
+    unicode-emoji (4.0.4)
 
 PLATFORMS
   aarch64-linux
   arm64-darwin-21
+  ruby
   x86_64-darwin-19
   x86_64-linux
 
@@ -50,4 +65,4 @@ DEPENDENCIES
   yara-ffi!
 
 BUNDLED WITH
-   2.2.32
+   2.7.1

data/README.md

@@ -1,13 +1,34 @@
 # yara-ffi
 
-A Ruby library for using [libyara](https://yara.readthedocs.io/en/stable/capi.html) via FFI.
+A Ruby library for using [YARA-X](https://virustotal.github.io/yara-x/) via FFI bindings. YARA-X is a modern, Rust-based implementation of YARA that's faster and safer than the original C implementation.
+
+## Requirements
+
+- Ruby 3.0 or later
+- YARA-X C API library (`libyara_x_capi`) installed on your system
+
+## Major Features
+
+**🔍 Pattern Matching Analysis**: Extract detailed pattern match information with exact offsets, lengths, and matched data - perfect for forensic analysis.
+
+**🛠️ Advanced Rule Compilation**: Use the `Yara::Compiler` class for complex scenarios with global variables, structured error reporting, and multiple rule sources.
+
+**💾 Rule Serialization**: Compile rules once, serialize for persistence or transport, then deserialize for instant scanning - eliminating compilation overhead.
+
+**🏷️ Metadata & Tags**: Full access to rule metadata with type safety and tag-based rule categorization and filtering.
+
+**🌐 Global Variables**: Set string, boolean, integer, and float globals at runtime to customize rule behavior dynamically.
+
+**📁 Namespace Support**: Organize rules logically, avoid naming conflicts, and access qualified rule names in large rule sets.
+
+**⚡ Performance**: Configurable scan timeouts, efficient resource management with automatic cleanup, and parallel scanning support.
 
 ## Installation
 
 Add this line to your application's Gemfile:
 
 ```ruby
-gem "yara"
+gem "yara-ffi"
 ```
 
 And then execute:
@@ -18,49 +39,48 @@ Or install it yourself as:
 
     $ gem install yara-ffi
 
-## Usage
+## Quick Start
 
 ```ruby
-Yara.start # run before you start using the Yara API.
-
-rule = <<-RULE
-rule ExampleRule
-{
-meta:
-    string_meta = "an example rule for testing"
-
-strings:
-    $my_text_string = "we were here"
-    $my_text_regex = /were here/
-
-condition:
-    $my_text_string or $my_text_regex
-}
-RULE
-
-scanner = Yara::Scanner.new
-scanner.add_rule(rule)
-scanner.compile
-result = scanner.call("one day we were here and then we were not").first
-result.match?
-# => true
-
-scanner.close   # run when you are done using the scanner API and want to free up memory.
-Yara.stop       # run when you are completely done using the Yara API to free up memory.
+require 'yara'
+
+# Simple test
+results = Yara.test(rule_string, data)
+puts "Matched: #{results.first.rule_name}" if results.first&.match?
+
+# Resource-managed scanning
+Yara::Scanner.open(rule) do |scanner|
+  scanner.compile
+  results = scanner.scan(data)
+end
 ```
 
+**📖 For comprehensive usage examples, advanced features, and API documentation, see [USAGE.md](USAGE.md).**
+
+## API Overview
+
+**Core Classes**: `Yara`, `Yara::Scanner`, `Yara::Compiler`, `Yara::ScanResult`, `Yara::ScanResults`, `Yara::PatternMatch`
+
+**Key Methods**: `Yara.test()`, `Yara.scan()`, `Scanner.open()`, `Scanner#scan()`, `ScanResult#pattern_matches`
+
+**📖 For detailed API documentation, examples, and advanced usage patterns, see [USAGE.md](USAGE.md).**
+
+## Installing YARA-X
+
+You'll need the YARA-X C API library installed on your system. You can:
+
+1. Build from source: https://github.com/VirusTotal/yara-x
+2. Install via package manager (when available)
+3. Use the provided Docker environment
+
 ## Development
 
-After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake test` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
+See [DEVELOPMENT.md](DEVELOPMENT.md) for detailed development setup instructions, testing guidelines, and contribution workflow.
 
 ## Contributing
 
-Bug reports and pull requests are welcome on GitHub at https://github.com/jonmagic/yara-ffi. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the [code of conduct](https://github.com/jonmagic/yara-ffi/blob/master/CODE_OF_CONDUCT.md).
+Bug reports and pull requests are welcome on GitHub at https://github.com/jonmagic/yara-ffi. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the [code of conduct](CODE_OF_CONDUCT.md).
 
 ## License
 
-The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).
-
-## Code of Conduct
-
-Everyone interacting in the Yara::Ffi project's codebases, issue trackers, chat rooms and mailing lists is expected to follow the [code of conduct](https://github.com/jonmagic/yara-ffi/blob/master/CODE_OF_CONDUCT.md).
+The gem is available as open source under the terms of the [MIT License](LICENSE.txt).