chore: bump yara-x to 1.13.0; match upstream config; run Make targets consistently (#1389)

* chore: bump yara-x to 1.13.0; match upstream config; run Make targets consistently

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* revert to Make targets for tests

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* consolidate go + yara-x version definitions

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* one more tweak

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

---------

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

Author: egibs

.github/workflows/codeql.yaml

@@ -12,6 +12,7 @@ on:
 
 env:
   CODEQL_EXTRACTOR_GO_BUILD_TRACING: "on"
+  YARA_X_RELEASE: "1.13.0"
 
 permissions: {}
 
@@ -34,7 +35,7 @@ jobs:
         uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
         with:
           path: yara-x-install
-          key: yara-x-capi-v1.12.0-${{ runner.os }}
+          key: yara-x-capi-v${{ env.YARA_X_RELEASE }}-${{ runner.os }}
       - name: Checkout virusTotal/yara-x
         if: steps.yara-x-capi.outputs.cache-hit != 'true'
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -43,7 +44,7 @@ jobs:
           fetch-tags: true
           repository: virusTotal/yara-x
           path: yara-x
-          ref: refs/tags/v1.12.0
+          ref: refs/tags/v${{ env.YARA_X_RELEASE }}
       - name: Install Rust for yara-x-capi
         if: steps.yara-x-capi.outputs.cache-hit != 'true'
         uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9
@@ -56,14 +57,19 @@ jobs:
           path: |
             ~/.cargo/registry/
             ~/.cargo/git/
-          key: rust-cargo-v1.12.0-${{ runner.os }}
+          key: rust-cargo-v${{ env.YARA_X_RELEASE }}-${{ runner.os }}
           restore-keys: rust-cargo-
       - name: Build yara-x-capi
         if: steps.yara-x-capi.outputs.cache-hit != 'true'
         run: |
           command -v cargo-cinstall || cargo install cargo-c --locked
           cd ${{ github.workspace }}/yara-x
-          cargo cinstall -p yara-x-capi --features=native-code-serialization --release --pkgconfigdir=${{ github.workspace }}/yara-x-install --includedir=${{ github.workspace }}/yara-x-install --libdir=${{ github.workspace }}/yara-x-install
+          RUSTFLAGS="-C target-feature=+crt-static" cargo cinstall -p yara-x-capi --features=native-code-serialization \
+            --profile release-lto \
+            --pkgconfigdir=${{ github.workspace }}/yara-x-install \
+            --includedir=${{ github.workspace }}/yara-x-install \
+            --libdir=${{ github.workspace }}/yara-x-install \
+            --crt-static --library-type="staticlib"
           rm -rf ${{ github.workspace }}/yara-x
       - name: Set up Go
         uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0

.github/workflows/fuzz.yaml

@@ -29,6 +29,10 @@ on:
           - "60m"
           - "180m"
 
+env:
+  GO_RELEASE: "go-1.26"
+  YARA_X_RELEASE: "1.13.0"
+
 permissions: {}
 
 jobs:
@@ -117,7 +121,7 @@ jobs:
       - name: Install dependencies
         run: |
           apk update
-          apk add curl findutils git gnutar go nodejs upx xz yara-x~1.12.0
+          apk add curl findutils git gnutar ${{ env.GO_RELEASE }} nodejs upx xz yara-x~${{ env.YARA_X_RELEASE }}
 
       - name: Checkout code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

.github/workflows/go-tests.yaml

@@ -11,6 +11,10 @@ on:
     branches:
       - "main"
 
+env:
+  GO_RELEASE: "go-1.26"
+  YARA_X_RELEASE: "1.13.0"
+
 permissions: {}
 
 jobs:
@@ -37,7 +41,7 @@ jobs:
       - name: Install dependencies
         run: |
           apk update
-          apk add curl findutils git gnutar go nodejs upx xz yara-x~1.12.0
+          apk add curl findutils git gnutar ${{ env.GO_RELEASE }} nodejs upx xz yara-x~${{ env.YARA_X_RELEASE }}
 
       - name: Checkout code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -63,8 +67,7 @@ jobs:
           restore-keys: go-
 
       - name: Unit tests
-        run: |
-          make test
+        run: make test
 
   integration:
     if: ${{ github.repository == 'chainguard-dev/malcontent' }}
@@ -89,7 +92,7 @@ jobs:
       - name: Install dependencies
         run: |
           apk update
-          apk add curl findutils git gnutar go nodejs upx xz yara-x~1.12.0
+          apk add curl findutils git gnutar ${{ env.GO_RELEASE }} nodejs upx xz yara-x~${{ env.YARA_X_RELEASE }}
 
       - name: Checkout code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -128,5 +131,4 @@ jobs:
         run: make samples
 
       - name: Integration tests
-        run: |
-          make integration
+        run: make integration

.github/workflows/release.yaml

@@ -6,8 +6,7 @@ name: Cut Release
 on:
   workflow_dispatch:
 
-permissions:
-  contents: read
+permissions: {}
 
 env:
   VERSION_FILE: pkg/version/version.go

.github/workflows/style.yaml

@@ -3,6 +3,10 @@
 
 name: Code Style
 
+env:
+  GO_RELEASE: "go-1.26"
+  YARA_X_RELEASE: "1.13.0"
+
 permissions: {}
 
 on:
@@ -57,7 +61,7 @@ jobs:
 
       - name: Install yara-x
         run: |
-          wget https://github.com/VirusTotal/yara-x/releases/download/v1.10.0/yara-x-v1.10.0-x86_64-unknown-linux-gnu.gz -O yara-x.gz
+          wget https://github.com/VirusTotal/yara-x/releases/download/v${{ env.YARA_X_RELEASE }}/yara-x-v${{ env.YARA_X_RELEASE }}-x86_64-unknown-linux-gnu.gz -O yara-x.gz
           gunzip yara-x.gz && tar -xvf yara-x && chmod +x yr && mv yr /usr/local/bin/ && rm yara-x
       - name: Verify yr installation
         run: |
@@ -143,7 +147,7 @@ jobs:
       - name: Install dependencies
         run: |
           apk update
-          apk add curl findutils git go nodejs yara-x~1.10.0
+          apk add curl findutils git ${{ env.GO_RELEASE }} nodejs yara-x~${{ env.YARA_X_RELEASE }}
 
       - name: Checkout code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

.github/workflows/third-party.yaml

@@ -8,8 +8,11 @@ on:
   schedule:
     - cron: "0 */12 * * *"
 
-permissions:
-  contents: read
+env:
+  GO_RELEASE: "go-1.26"
+  YARA_X_RELEASE: "1.13.0"
+
+permissions: {}
 
 jobs:
   update:
@@ -37,7 +40,7 @@ jobs:
       - name: Install dependencies
         run: |
           apk update
-          apk add bash curl findutils gh git gnutar go nodejs perl upx xz yara-x~1.12.0
+          apk add bash curl findutils gh git gnutar ${{ env.GO_RELEASE }} nodejs perl upx xz yara-x~${{ env.YARA_X_RELEASE }}
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Trust repository
         run: git config --global --add safe.directory "${GITHUB_WORKSPACE}"

Makefile

@@ -15,6 +15,16 @@ LINT_OS := $(shell uname)
 LINT_OS_LOWER := $(shell echo $(LINT_OS) | tr '[:upper:]' '[:lower:]')
 LINT_ROOT := $(shell dirname $(realpath $(firstword $(MAKEFILE_LIST))))
 
+# flags required to successfully build malcontent with yara-x's C API
+CPPFLAGS ?= "-I$(LINT_ROOT)/out/include"
+LDFLAGS :=
+PKGCONF_PATH ?= "$(LINT_ROOT)/out/lib/pkgconfig"
+ifeq ($(LINT_OS),Darwin)
+	LDFLAGS="-L$(LINT_ROOT)/out/lib -Wl,-no_warn_duplicate_libraries,-rpath,$(LINT_ROOT)/out/lib,-lyara_x_capi"
+else ifeq ($(LINT_OS),Linux)
+	LDFLAGS="-L$(LINT_ROOT)/out/lib -Wl,-rpath,$(LINT_ROOT)/out/lib,-lyara_x_capi,-no-pie"
+endif
+
 # yara-x adds an additional string for the platform (apple, unknown)
 LINT_PLATFORM :=
 ifeq ($(LINT_OS),Darwin)
@@ -41,22 +51,22 @@ $(GOLANGCI_LINT_BIN):
 	mv $(LINT_ROOT)/out/linters/golangci-lint $@
 
 YARA_X_REPO ?= virusTotal/yara-x
-YARA_X_VERSION ?= v1.12.0
-YARA_X_COMMIT ?= 466a624e381beefde7665433494887d80932a662
+YARA_X_VERSION ?= v1.13.0
+YARA_X_COMMIT ?= d397e8c3feee79e91f4b389288ba244264da2813
 YARA_X_SHA :=
 ifeq ($(LINT_OS),Darwin)
 	ifeq ($(shell uname -m),arm64)
 		LINT_ARCH = aarch64
-		YARA_X_SHA = 63100b4d6505c366d3c6af5145a26b961d2bf1646a4442716d81bb6f6a4dbee2
+		YARA_X_SHA = 0931697b9cfe74cade4a7136610a5cd254ae3bed95831b413c6b54f5760d554f
 	else
-		YARA_X_SHA = 29a50a3cf442206b9c116f3a322debc367215d4667cf99512550cbdca7c88fc0
+		YARA_X_SHA = 226dce240b8d674db3c83b5c0b6d336268a46f1fbd6718fa9bdeb3735857f6c4
 	endif
 else ifeq ($(LINT_OS),Linux)
 	ifeq ($(shell uname -m),arm64)
 		LINT_ARCH = aarch64
-		YARA_X_SHA = 614cb7b5a738e1e6e3fe6b98bca207c2dfd012ad95d4a85d5e62a0eac985c554
+		YARA_X_SHA = a50e9b593c5a6039c227f665b8ade1ea1c4bee3be5789add3e33f033cbf427ae
 	else
-		YARA_X_SHA = f460a20b78b66b08b6d323f1d1ed00ab94328ae98a3f755f29692e49caa48cb7
+		YARA_X_SHA = b93fb0b87016c60498c26b8a17d2617bbc49f5d5b1a291cde5b09658ce93bb69
 	endif
 endif
 YARA_X_BIN := $(LINT_ROOT)/out/linters/yr-$(YARA_X_VERSION)-$(LINT_ARCH)
@@ -70,14 +80,20 @@ $(YARA_X_BIN):
 
 LINTERS += golangci-lint-lint
 golangci-lint-lint: $(GOLANGCI_LINT_BIN)
-	find . -maxdepth 1 -name go.mod -print0 | xargs -0 -L1 -I{} /bin/sh -c '"$(GOLANGCI_LINT_BIN)" run -c "$(GOLANGCI_LINT_CONFIG)"' \;
+	find . -maxdepth 1 -name go.mod -print0 | xargs -0 -L1 -I{} /bin/sh -c 'CGO_LDFLAGS=$(LDFLAGS) CGO_CPPFLAGS=$(CPPFLAGS) PKG_CONFIG_PATH=$(PKGCONF_PATH) "$(GOLANGCI_LINT_BIN)" run -c "$(GOLANGCI_LINT_CONFIG)"' \;
 
 FIXERS += golangci-lint-fix
 golangci-lint-fix: $(GOLANGCI_LINT_BIN)
+	CGO_LDFLAGS=$(LDFLAGS) \
+	CGO_CPPFLAGS=$(CPPFLAGS) \
+	PKG_CONFIG_PATH=$(PKGCONF_PATH) \
 	find . -maxdepth 1 -name go.mod -execdir "$(GOLANGCI_LINT_BIN)" run -c "$(GOLANGCI_LINT_CONFIG)" --fix \;
 
 FIXERS += modernize
 modernize:
+	CGO_LDFLAGS=$(LDFLAGS) \
+	CGO_CPPFLAGS=$(CPPFLAGS) \
+	PKG_CONFIG_PATH=$(PKGCONF_PATH) \
 	go run golang.org/x/tools/gopls/internal/analysis/modernize/cmd/modernize@latest -fix -test ./...
 
 LINTERS += yara-x-fmt
@@ -115,7 +131,7 @@ out/$(SAMPLES_REPO)/.decompressed-$(SAMPLES_COMMIT): out/${SAMPLES_REPO}/.git/co
 
 out/$(YARA_X_REPO)/.git/commit-$(YARA_X_COMMIT):
 	mkdir -p out/$(YARA_X_REPO)
-	test -d out/$(YARA_X_REPO)/.git ||git clone https://github.com/$(YARA_X_REPO).git out/$(YARA_X_REPO)
+	test -d out/$(YARA_X_REPO)/.git || git clone https://github.com/$(YARA_X_REPO).git out/$(YARA_X_REPO)
 	rm out/$(YARA_X_REPO)/.git/commit-* 2>/dev/null || true
 	git -C out/$(YARA_X_REPO) switch - || true
 	git -C out/$(YARA_X_REPO) pull --rebase --autostash
@@ -130,7 +146,7 @@ install-yara-x: out/$(YARA_X_REPO)/.git/commit-$(YARA_X_COMMIT)
 	mkdir -p out/include
 	cd out/$(YARA_X_REPO) && \
 	cargo install cargo-c --locked && \
-	cargo cinstall -p yara-x-capi --features=native-code-serialization --release --prefix="$(LINT_ROOT)/out" --libdir="$(LINT_ROOT)/out/lib"
+	RUSTFLAGS="-C target-feature=+crt-static" cargo cinstall -p yara-x-capi --features=native-code-serialization --profile release-lto --prefix="$(LINT_ROOT)/out" --libdir="$(LINT_ROOT)/out/lib" --crt-static --library-type="staticlib"
 
 .PHONY: update-deps
 update-deps:
@@ -140,6 +156,9 @@ update-deps:
 # unit tests only
 .PHONY: test
 test:
+	CGO_LDFLAGS=$(LDFLAGS) \
+	CGO_CPPFLAGS=$(CPPFLAGS) \
+	PKG_CONFIG_PATH=$(PKGCONF_PATH) \
 	go test -race ./pkg/...
 
 FUZZ_TIME ?= 10s
@@ -149,9 +168,9 @@ fuzz:
 		awk -F'[:(]' '{gsub(/func /, "", $$2); dir=$$1; sub(/\/[^/]+$$/, "/", dir); print $$2, "./" dir}' | \
 		while read -r func dir; do \
 			echo "--- $$func ($$dir) ---"; \
-			CGO_LDFLAGS="-L$(LINT_ROOT)/out/lib -Wl,-rpath,$(LINT_ROOT)/out/lib" \
-			CGO_CPPFLAGS="-I$(LINT_ROOT)/out/include" \
-			PKG_CONFIG_PATH="$(LINT_ROOT)/out/lib/pkgconfig" \
+			CGO_LDFLAGS=$(LDFLAGS) \
+			CGO_CPPFLAGS=$(CPPFLAGS) \
+			PKG_CONFIG_PATH=$(PKGCONF_PATH) \
 			go test -timeout 0 -fuzz="^$$func$$" -fuzztime=$(FUZZ_TIME) "$$dir" || exit 1; \
 		done
 
@@ -161,6 +180,9 @@ FUZZ_TARGET ?= FuzzExtractArchive
 FUZZ_PKG ?= ./pkg/archive/
 .PHONY: fuzz-continuous
 fuzz-continuous:
+	CGO_LDFLAGS=$(LDFLAGS) \
+	CGO_CPPFLAGS=$(CPPFLAGS) \
+	PKG_CONFIG_PATH=$(PKGCONF_PATH) \
 	go test -fuzz=$(FUZZ_TARGET) $(FUZZ_PKG)
 
 # unit tests only
@@ -174,28 +196,44 @@ coverage-html: out/coverage.html
 # pop open the html page in a browser directly
 .PHONY: coverage-browser
 coverage-browser: out/mal.coverage
+	CGO_LDFLAGS=$(LDFLAGS) \
+	CGO_CPPFLAGS=$(CPPFLAGS) \
+	PKG_CONFIG_PATH=$(PKGCONF_PATH) \
 	go tool cover -html=$<
 
 # generate the html report
 out/coverage.html: out/mal.coverage
+	CGO_LDFLAGS=$(LDFLAGS) \
+	CGO_CPPFLAGS=$(CPPFLAGS) \
+	PKG_CONFIG_PATH=$(PKGCONF_PATH) \
 	go tool cover -html=$< -o $@
 
 # we always want to regen the coverage data file
 .PHONY: out/mal.coverage
 out/mal.coverage:
 	mkdir -p out
+	CGO_LDFLAGS=$(LDFLAGS) \
+	CGO_CPPFLAGS=$(CPPFLAGS) \
+	PKG_CONFIG_PATH=$(PKGCONF_PATH) \
 	go test -coverprofile $@ -race ./pkg/... -coverpkg ./pkg/...
 
 # integration tests only
 .PHONY: integration
 integration: out/$(SAMPLES_REPO)/.decompressed-$(SAMPLES_COMMIT)
+	CGO_LDFLAGS=$(LDFLAGS) \
+	CGO_CPPFLAGS=$(CPPFLAGS) \
+	PKG_CONFIG_PATH=$(PKGCONF_PATH) \
 	go test -race -timeout 0 ./tests/...
 
 .PHONY: bench
 bench: out/$(SAMPLES_REPO)/.decompressed-$(SAMPLES_COMMIT)
+	CGO_LDFLAGS=$(LDFLAGS) \
+	CGO_CPPFLAGS=$(CPPFLAGS) \
+	PKG_CONFIG_PATH=$(PKGCONF_PATH) \
 	go test -run=^\$$ -bench=. ./... -benchmem
 
-BENCH_CMD := go test -benchmem -run=^\$$ -bench ^BenchmarkRun\$$ github.com/chainguard-dev/malcontent/tests -args
+BENCH_CMD := CGO_LDFLAGS=$(LDFLAGS) CGO_CPPFLAGS=$(CPPFLAGS) PKG_CONFIG_PATH=$(PKGCONF_PATH) \
+	go test -benchmem -run=^\$$ -bench ^BenchmarkRun\$$ github.com/chainguard-dev/malcontent/tests -args
 
 .PHONY: bench-malcontent
 bench-malcontent:
@@ -244,9 +282,9 @@ bench-windows:
 .PHONY: out/mal
 out/mal:
 	mkdir -p out
-	CGO_LDFLAGS="-L$(LINT_ROOT)/out/lib -Wl,-rpath,$(LINT_ROOT)/out/lib" \
-	CGO_CPPFLAGS="-I$(LINT_ROOT)/out/include" \
-	PKG_CONFIG_PATH="$(LINT_ROOT)/out/lib/pkgconfig" \
+	CGO_LDFLAGS=$(LDFLAGS) \
+	CGO_CPPFLAGS=$(CPPFLAGS) \
+	PKG_CONFIG_PATH=$(PKGCONF_PATH) \
 	go build -o out/mal ./cmd/mal
 
 .PHONY: update-third-party
@@ -258,7 +296,7 @@ refresh-sample-testdata: out/$(SAMPLES_REPO)/.decompressed-$(SAMPLES_COMMIT) out
 	MALCONTENT_UPX_PATH=$(shell which upx) ./out/mal refresh
 
 ARCH ?= $(shell uname -m)
-CRANE_VERSION=v0.20.7
+CRANE_VERSION=v0.21.0
 out/crane-$(ARCH)-$(CRANE_VERSION):
 	mkdir -p out
 	GOBIN=$(CURDIR)/out go install github.com/google/go-containerregistry/cmd/crane@$(CRANE_VERSION)

go.mod

@@ -1,9 +1,9 @@
 module github.com/chainguard-dev/malcontent
 
-go 1.25.7
+go 1.26.0
 
 require (
-	github.com/VirusTotal/yara-x/go v1.12.0
+	github.com/VirusTotal/yara-x/go v1.13.0
 	github.com/cavaliergopher/cpio v1.0.1
 	github.com/cavaliergopher/rpm v1.3.0
 	github.com/chainguard-dev/clog v1.8.0

go.sum

@@ -1,5 +1,5 @@
-github.com/VirusTotal/yara-x/go v1.12.0 h1:RfLiZX4mrro2jJtaI3NLViJBeUXzkuOjlRY5S2jiQrk=
-github.com/VirusTotal/yara-x/go v1.12.0/go.mod h1:lgXP/nkYX349MVowrtTtU5hzMdCOWQLv3+wKll9+0F8=
+github.com/VirusTotal/yara-x/go v1.13.0 h1:Maidzjq4Y27CczuBOWlKr+3En3E/3UVVNHNOKlzr4ww=
+github.com/VirusTotal/yara-x/go v1.13.0/go.mod h1:lgXP/nkYX349MVowrtTtU5hzMdCOWQLv3+wKll9+0F8=
 github.com/aymanbagabas/go-osc52/v2 v2.0.1 h1:HwpRHbFMcZLEVr42D4p7XBqjyuxQH5SMiErDT4WkJ2k=
 github.com/aymanbagabas/go-osc52/v2 v2.0.1/go.mod h1:uYgXzlJ7ZpABp8OJ+exZzJJhRNQ2ASbcXHWsFqH8hp8=
 github.com/bahlo/generic-list-go v0.2.0 h1:5sz/EEAK+ls5wF+NeqDpk5+iNdMDXrh3z3nPnH1Wvgk=