YARA Rule Metadata Aggregator

Build a tool that compiles YARA rules and extracts metadata from them, with special handling for rules that contain duplicate metadata keys.

Requirements

Your tool should:

1. Accept YARA rule source code as input
2. Compile the rules
3. Scan a provided data sample against the compiled rules
4. For each matching rule, extract all metadata values
5. When a rule has duplicate metadata keys (e.g., multiple "author" entries), collect ALL values for that key, not just the last one
6. Return the extracted metadata in a structured format

Implementation

@generates

API

def aggregate_metadata(rule_source: str, scan_data: bytes) -> list[dict]:
    """
    Compile YARA rules from source, scan data, and extract metadata.

    Args:
        rule_source: YARA rule source code as a string
        scan_data: Binary data to scan against the rules

    Returns:
        A list of dictionaries, one per matching rule, where each dictionary
        contains:
        - 'rule': the rule name (string)
        - 'metadata': a dictionary mapping metadata keys to their values.
          For duplicate keys, the value should be a list containing all values
          in the order they appear in the rule.

    Example:
        Given a rule with:
            meta:
                author = "Alice"
                author = "Bob"
                version = "1.0"

        The metadata dict should be:
            {
                "author": ["Alice", "Bob"],
                "version": "1.0"
            }
    """
    pass

Test Cases

• Given a rule with duplicate metadata keys (two "author" fields), the function returns metadata with both author values in a list @test
• Given a rule with no duplicate metadata keys, the function returns metadata values as strings, not lists @test
• Given multiple rules where only some match, the function returns metadata only for matching rules @test

Dependencies { .dependencies }

yara-python { .dependency }

Provides pattern matching and rule compilation capabilities.

@satisfied-by