fix(cli): preserve duplicate metadata keys in JSON output (VirusTotal#550)

PeterMatula · web-flow · commit 6ab30fa71e5a · 2026-02-05T13:15:15.000+01:00
When YARA rules contain multiple metadata entries with the same key (e.g., multiple hash entries), the JSON output now groups them into an array instead of silently discarding all but one value.

This matches the behavior of original YARA's JSON output format.
diff --git a/cli/src/commands/scan.rs b/cli/src/commands/scan.rs
@@ -1088,15 +1088,30 @@ mod output_handler {
                 })
                 .map(|rule| {
                     let meta = self.output_options.include_meta.then(|| {
-                        rule.metadata()
-                            .map(|(meta_key, meta_val)| {
-                                let meta_key = meta_key.to_owned();
-                                let meta_val = serde_json::to_value(meta_val)
-                                    .expect(
-                                    "Derived Serialize impl should never fail",
-                                );
+                        // Group metadata by key to handle duplicate keys.
+                        let mut grouped: HashMap<
+                            String,
+                            Vec<serde_json::Value>,
+                        > = HashMap::new();
+
+                        for (meta_key, meta_val) in rule.metadata() {
+                            let key = meta_key.to_owned();
+                            let val = serde_json::to_value(meta_val).expect(
+                                "Derived Serialize impl should never fail",
+                            );
+                            grouped.entry(key).or_default().push(val);
+                        }
 
-                                (meta_key, meta_val)
+                        // Single values stay as-is, multiple values become arrays.
+                        grouped
+                            .into_iter()
+                            .map(|(k, mut v)| {
+                                let val = if v.len() == 1 {
+                                    v.pop().unwrap()
+                                } else {
+                                    serde_json::Value::Array(v)
+                                };
+                                (k, val)
                             })
                             .collect::<HashMap<_, _>>()
                     });
diff --git a/cli/src/tests/scan.rs b/cli/src/tests/scan.rs
@@ -2,6 +2,7 @@ use assert_cmd::{cargo_bin, Command};
 use assert_fs::prelude::*;
 use assert_fs::TempDir;
 use predicates::prelude::*;
+use serde_json;
 
 #[test]
 fn always_true() {
@@ -356,3 +357,65 @@ fn issue_280() {
         .assert()
         .success();
 }
+
+#[test]
+fn json_output_duplicate_meta_keys() {
+    // Test that duplicate metadata keys are preserved as arrays in JSON output
+    let output = Command::new(cargo_bin!("yr"))
+        .arg("scan")
+        .arg("--output-format=json")
+        .arg("--print-meta")
+        .arg("src/tests/testdata/duplicate_meta.yar")
+        .arg("src/tests/testdata/dummy.file")
+        .assert()
+        .success()
+        .get_output()
+        .stdout
+        .clone();
+
+    let json: serde_json::Value =
+        serde_json::from_slice(&output).expect("valid JSON output");
+
+    // Navigate to the meta object
+    let meta = &json["matches"][0]["meta"];
+
+    // Single-value keys should remain as single values
+    assert_eq!(meta["author"], "Test Author");
+    assert_eq!(meta["description"], "Rule with duplicate metadata keys");
+
+    // Duplicate keys should become arrays
+    let hash = &meta["hash"];
+    assert!(hash.is_array(), "hash should be an array");
+    let hash_array = hash.as_array().unwrap();
+    assert_eq!(hash_array.len(), 3);
+    assert!(hash_array.contains(&serde_json::json!("aaa111")));
+    assert!(hash_array.contains(&serde_json::json!("bbb222")));
+    assert!(hash_array.contains(&serde_json::json!("ccc333")));
+}
+
+#[test]
+fn json_output_single_meta_not_array() {
+    // Test that single metadata values are NOT wrapped in arrays
+    let output = Command::new(cargo_bin!("yr"))
+        .arg("scan")
+        .arg("--output-format=json")
+        .arg("--print-meta")
+        .arg("src/tests/testdata/foo.yar")
+        .arg("src/tests/testdata/dummy.file")
+        .assert()
+        .success()
+        .get_output()
+        .stdout
+        .clone();
+
+    let json: serde_json::Value =
+        serde_json::from_slice(&output).expect("valid JSON output");
+
+    let meta = &json["matches"][0]["meta"];
+
+    // All values should be single values, not arrays
+    assert!(meta["string"].is_string());
+    assert!(meta["bool"].is_boolean());
+    assert!(meta["int"].is_i64());
+    assert!(meta["float"].is_f64());
+}
diff --git a/cli/src/tests/testdata/duplicate_meta.yar b/cli/src/tests/testdata/duplicate_meta.yar
@@ -0,0 +1,10 @@
+rule duplicate_meta {
+  meta:
+    author = "Test Author"
+    hash = "aaa111"
+    hash = "bbb222"
+    hash = "ccc333"
+    description = "Rule with duplicate metadata keys"
+  condition:
+    true
+}
