Skip to content

v1.0.0

Choose a tag to compare

View all tags
@github-actions github-actions released this 23 May 15:32
v1.0.0
eb2a933

This release marks the first stable release of Boreal as it is now entirely feature complete with YARA:

  • All features available in YARA are available in boreal
  • A CLI binary is available that is 100% compatible with invocations of the yara CLI binary.
  • A new python library has been released, also 100% compatible with the yara python library.

Here is a list of the major features since 0.9.0:

  • Python bindings have been added, and are available through the boreal-python pypi package. Those bindings provide a "yara compatibility" mode with full compatibility with the yara python bindings, allowing seamless transition from it.

  • The boreal CLI tool has been reworked and completed. It now supports all options from the yara CLI tool (except --atom-quality-table) and provides a "yara compatibility" mode through the use of the yr subcommand, allowing seamless transition from it.

  • A scanner can now be serialized into bytes (and deserialized) through the serialize feature. This is the equivalent of the yara save/load API. This however increases the scanner size by a few percent, and has a lot of caveats linked to it. See the Scanner::to_bytes for more details.

  • All scanning APIs now have a variant that uses a callback. This callback will be called on specific events: when a rule matches, when a module is imported, etc. scanner::ScanEvent for more details.

  • Several more features have been added: modifying the include callback, limiting the number of strings per rule, etc. See the changelog below for details.

  • The benchmarks have been reworked: YARA-X have been added to it and benchmarks on the serialize feature have been added.

Since this is the first stable release, several breaking changes have been done to stabilize the API. See the breaking changes list just below.

Breaking changes:

  • The Compiler::into_scanner method has been renamed to Compiler::finalize #226.
  • The namespace field for rules is now non optional, and the default namespace is named "default". This means that if you previously added rules in the default namespace and rules in a custom namespace named "default", this would now add to the same namespace and may conflict. This aligns the logic on what yara does and simplifies compatibility 4ffca07
  • The ScanResult::statistics field is now boxed. This reduces the size of the object greatly.
  • The ScanResult::module_values field has been replaced by ScanResult::modules, which also returns a pointer to the modules, allowing access to their static values #225.
  • boreal::scanner::MatchedRule has been renamed to boreal::scanner::EvaluatedRule
    979f162.
  • boreal::Compiler::default has been removed, use of the CompilerBuilder object is mandatory to customize which modules are enabled 586be27.
  • Bump MSRV to 1.74 928e380.
  • boreal::scanner::StringMatch::data has changed from a Vec<u8> to a Box<[u8]> to reduce the memory size of this object 928e380.
  • boreal::compiler::AddRuleError no longer has a to_short_description method. Instead, this object implements std::fmt::Display which can be used to generate the same short description 6658ebb.

Added

  • Added callback based API variants for all Scanner::scan_* methods. For example, Scanner::scan_mem_with_callback, Scanner::scan_process_with_callback. This callback can receive several type of events, and is able to abort the scan during any received event. See boreal::scanner::ScanEvent and boreal::scanner::CallbackEvents for more details on the types of events handled #187.
  • Added serialize feature to serialize a Scanner object into bytes which can be deserialized on another computer. See Scanner::to_bytes for more details. #203.
  • Added ability to customize include behavior with a callback used during compilation. See Compiler::set_include_callback for more details 637dece.
  • Added scan parameters to include not matched rules in results 8a951d8.
  • Callback for console module can now be provided in the scanner rather than during compilation 3522484.
  • Added Scanner::rules to iterate over the rules contained in a scanner 68ee69b.
  • Added max_strings_per_rule compilation parameter to fail compilation if a rule contains too many rules 696ce79.
  • Added xor_key field in boreal::scanner::StringMatch to indicate which xor key was used on a given match 7c9fd27.
  • Added has_xor_modifier field in boreal::scanner::StringMatches 6853938.
  • Implement std::fmt::Display and std::error::Error on boreal::compiler::AddRuleError. This means this is now a real Error object and the AddRuleError::to_short_description method no longer needs to be called to generate a description for the error 6658ebb.

Updated

boreal-cli

See the boreal-cli CHANGELOG file.

Assets 8
Loading