search

VirusTotal / yara

The pattern matching swiss knife
https://virustotal.github.io/yara/
BSD 3-Clause "New" or "Revised" License
8.13k stars 1.42k forks source link

make check error: invalid field name "type" #1926

Open Mengpolar opened 1 year ago

Mengpolar commented 1 year ago

Describe the bug make check error.

To Reproduce

# ./bootstrap.sh
...
# ./configure --enable-cuckoo --enable-magic --enable-dotnet
...
# make
...
# sudo make install
...
# make check
...
PASS: test-async
PASS: test-string
PASS: test-exception
PASS: test-dotnet
FAIL: test-magic
============================================================================
Testsuite summary for yara 4.3.1
============================================================================
# TOTAL: 17
# PASS:  16
# SKIP:  0
# XFAIL: 0
# FAIL:  1
# XPASS: 0
# ERROR: 0
============================================================================
See ./test-suite.log
Please report to vmalvarez@virustotal.com
============================================================================
make[3]: *** [Makefile:2588: test-suite.log] Error 1
make[3]: Leaving directory '/opt/yara-4.3.1'
make[2]: *** [Makefile:2696: check-TESTS] Error 2
make[2]: Leaving directory '/opt/yara-4.3.1'
make[1]: *** [Makefile:3036: check-am] Error 2
make[1]: Leaving directory '/opt/yara-4.3.1'
make: *** [Makefile:3038: check] Error 2

test-suite.log

==================================
   yara 4.3.1: ./test-suite.log
==================================

# TOTAL: 17
# PASS:  16
# SKIP:  0
# XFAIL: 0
# FAIL:  1
# XPASS: 0
# ERROR: 0

.. contents:: :depth: 2

FAIL: test-magic
================

failed to compile rule << import "magic" rule test { condition:       magic.type() contains "ELF" } >>: line 1: invalid field name "type"
FAIL test-magic (exit status: 1)

and

# file --version
file-5.38

Expected behavior All PASS.

Screenshots

Please complete the following information:

Mengpolar commented 1 year ago

I tried to recompile and succeeded :)

# rm -rf yara-4.3.1
# tar -zxf yara-4.3.1.tar.gz
# cd yara-4.3.1
# ./bootstrap.sh
# ./configure --enable-cuckoo --enable-magic --enable-dotnet --with-crypto
# make
# sudo make install
# make check
...
make[2]: Leaving directory '/opt/yara-4.3.1'
make  check-TESTS
make[2]: Entering directory '/opt/yara-4.3.1'
make[3]: Entering directory '/opt/yara-4.3.1'
PASS: test-arena
PASS: test-alignment
PASS: test-atoms
PASS: test-api
PASS: test-rules
PASS: test-pe
PASS: test-elf
PASS: test-version
PASS: test-bitmask
PASS: test-math
PASS: test-stack
PASS: test-re-split
PASS: test-async
PASS: test-string
PASS: test-exception
PASS: test-dotnet
PASS: test-magic
============================================================================
Testsuite summary for yara 4.3.1
============================================================================
# TOTAL: 17
# PASS:  17
# SKIP:  0
# XFAIL: 0
# FAIL:  0
# XPASS: 0
# ERROR: 0
============================================================================
make[3]: Leaving directory '/opt/yara-4.3.1'
make[2]: Leaving directory '/opt/yara-4.3.1'
make[1]: Leaving directory '/opt/yara-4.3.1'
plusvic commented 1 year ago

I was pulling my hair trying to reproduce the issue, without success. I don't know how something like that would happen. What if you try recompiling again? Maybe the issue is flaky but still reproducible?

Malwarebinary commented 9 months ago

I had the same issue while running the make test command at the end of the install process. When reading the VT documentation regarding the magic module, there is a mention about the database file /etc/magic.mgc that was not found on my system.

Previously, I had upgraded my Ubuntu system to version 22.04 and I believe the library libmagic-dev has been installed on my previous Ubuntu version 20.04. From there, I have found the file on the web and I put it in the expected location. After that, I started the installation from scratch (same install commands as @Mengpolar) and it worked.