[arch-commits] Commit in osquery/trunk (PKGBUILD yara4.patch)

Anatol Pomozov anatolik at archlinux.org
Sat May 16 02:32:55 UTC 2020 

    Date: Saturday, May 16, 2020 @ 02:32:54
  Author: anatolik
Revision: 628146

upgpkg: osquery 4.3.0-2: Yara 4 rebuild

Added:
  osquery/trunk/yara4.patch
Modified:
  osquery/trunk/PKGBUILD

-------------+
 PKGBUILD    |   10 ++++++---
 yara4.patch |   59 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 66 insertions(+), 3 deletions(-)

Modified: PKGBUILD
===================================================================
--- PKGBUILD	2020-05-16 01:21:21 UTC (rev 628145)
+++ PKGBUILD	2020-05-16 02:32:54 UTC (rev 628146)
@@ -2,7 +2,7 @@
 
 pkgname=osquery
 pkgver=4.3.0
-pkgrel=1
+pkgrel=2
 pkgdesc='SQL powered operating system instrumentation, monitoring, and analytics'
 arch=(x86_64)
 url='https://osquery.io'
@@ -13,10 +13,12 @@
 _smartmontools_commit=5f7669fba545f32a6d0c07e2be67df16f3eb354b
 source=(osquery-$pkgver.zip::https://github.com/osquery/osquery/archive/$pkgver.zip
         third-party-smartmontools.zip::https://github.com/osquery/third-party-smartmontools/archive/$_smartmontools_commit.zip
-        devendorize.patch::https://github.com/anatol/osquery/compare/$pkgver...$pkgver-archlinux.patch)
+        devendorize.patch::https://github.com/anatol/osquery/compare/$pkgver...$pkgver-archlinux.patch
+	yara4.patch)
 sha256sums=('69b570a6e5b4d3a92a7f3812fc78137383aa564025d697cef6e8717e404e3b66'
             '891f11acd804aa0d53dbec599e6a32ad9c1e5392a3eb4022714871f3a1ce95ee'
-            'b916c36f7e0394baf627fb0991431f77d796b29014719b754e05a761576def05')
+            'b916c36f7e0394baf627fb0991431f77d796b29014719b754e05a761576def05'
+            '201b3a9f5594214b3133492618b321f428fd2cfbdec63e88436a50c748710158')
 
 prepare() {
   cd osquery-$pkgver
@@ -24,6 +26,8 @@
 
   rm -rf libraries/cmake/source/smartmontools/src
   ln -sf `pwd`/../third-party-smartmontools-$_smartmontools_commit libraries/cmake/source/smartmontools/src
+
+  patch -p1 < ../yara4.patch
 }
 
 build() {

Added: yara4.patch
===================================================================
--- yara4.patch	                        (rev 0)
+++ yara4.patch	2020-05-16 02:32:54 UTC (rev 628146)
@@ -0,0 +1,59 @@
+commit 01d01e39a87e339c88cab216b85ee14428c0f2ec
+Author: Anatol Pomozov <anatol.pomozov at gmail.com>
+Date:   Fri May 15 19:04:57 2020 -0700
+
+    Adopt code for the YARA 4 API changes
+    
+    https://github.com/VirusTotal/yara/wiki/Backward-incompatible-changes-in-YARA-4.0-API
+
+diff --git a/osquery/tables/yara/yara_utils.cpp b/osquery/tables/yara/yara_utils.cpp
+index 897c18c2..d08bf437 100644
+--- a/osquery/tables/yara/yara_utils.cpp
++++ b/osquery/tables/yara/yara_utils.cpp
+@@ -31,6 +31,7 @@ bool yaraShouldSkipFile(const std::string& path, mode_t st_mode) {
+ void YARACompilerCallback(int error_level,
+                           const char* file_name,
+                           int line_number,
++                          const YR_RULE* rule,
+                           const char* message,
+                           void* user_data) {
+   if (error_level == YARA_ERROR_LEVEL_ERROR) {
+@@ -209,7 +210,7 @@ Status handleRuleFiles(const std::string& category,
+  * This is the YARA callback. Used to store matching rules in the row which is
+  * passed in as user_data.
+  */
+-int YARACallback(int message, void* message_data, void* user_data) {
++int YARACallback(YR_SCAN_CONTEXT* context, int message, void* message_data, void* user_data) {
+   if (message == CALLBACK_MSG_RULE_MATCHING) {
+     Row* r = (Row*)user_data;
+     YR_RULE* rule = (YR_RULE*)message_data;
+@@ -223,7 +224,7 @@ int YARACallback(int message, void* message_data, void* user_data) {
+     YR_STRING* string = nullptr;
+     yr_rule_strings_foreach(rule, string) {
+       YR_MATCH* match = nullptr;
+-      yr_string_matches_foreach(string, match) {
++      yr_string_matches_foreach(context, string, match) {
+         if ((*r)["strings"].length() > 0) {
+           (*r)["strings"] += "," + std::string(string->identifier);
+         } else {
+diff --git a/osquery/tables/yara/yara_utils.h b/osquery/tables/yara/yara_utils.h
+index dd860041..bf984240 100644
+--- a/osquery/tables/yara/yara_utils.h
++++ b/osquery/tables/yara/yara_utils.h
+@@ -28,6 +28,7 @@ const std::string kYARAHome{OSQUERY_HOME "yara/"};
+ void YARACompilerCallback(int error_level,
+                           const char* file_name,
+                           int line_number,
++                          const YR_RULE* rule,
+                           const char* message,
+                           void* user_data);
+ 
+@@ -42,7 +43,7 @@ Status handleRuleFiles(const std::string& category,
+  */
+ bool yaraShouldSkipFile(const std::string& path, mode_t st_mode);
+ 
+-int YARACallback(int message, void* message_data, void* user_data);
++int YARACallback(YR_SCAN_CONTEXT* context, int message, void* message_data, void* user_data);
+ 
+ /**
+  * @brief A simple ConfigParserPlugin for a "yara" dictionary key.

More information about the arch-commits mailing list