Support code snippets in VSCode

[ITAYC0HEN]

Hey! I love YLS so far, thank you!

I am missing the Code Snippets functionality. VS Code plugins has a nice way to implement code snippets to aid the process of authoring code (or yara rules).

I'd love to see something like this in the VSCode plugin:

[MatejKastak]

Hi 👋,

thanks for using YLS. I am glad you like it.

We can add snippets for sure! However, here I would need some help from you to find what snippets would you like and what should be a trigger word. Meta section of the rules and snippets in general kind of differs based on author, project, etc.

We can make some generic rule snippet like you are suggesting. Would you prefer exactly the one you have on gif? Do you use snippets for any other parts of the rule, we can add them also.

I found that this was originally implemented here but it was dropped in favor of generating the snippets dynamically.

For the start I can deliver you the static snippets faster, so I suggest we start with that. If you have preference we can add a similar mechanism with dynamic snippets later.

[malvidin]

I appreciate being able to easily customize and share metadata snippets and condition snippets
(infosec-intern/vscode-yara#39). Generating a full rule snippet with default metadata, etc., is very convenient. The pasteRegex, pasteString, $$c, $re, and $s snippets that use the clipboard are also useful.

I would appreciate custom CCCS-YARA metadata snippets. Full CCCS-YARA validation (unique, optional, values, MITRE CTI) would be great. Additional metadata enhancements, like to updating the last_modified metadata when the rule fingerprint changes, would be nice, but is less important. I don't know if there is a desire for autocomplete values for sub-categories like malware = "ADWARE|BANKER|..." when the category = "MALWARE".

[ITAYC0HEN]

Thanks for the prompt reply Matej!

Yeah I think that having this generic static snipper will be a very nice first step.

What bothered me with vscode-yara that it was moved to only use dyamic snippets, and this makes it a steeper learning curve for users. An entry-level user just wants a very nice thing that works out-of-the-box, rather then being forced to building their own snippets.

And regarding the yls plugin, even before snippets, basic keywords in Yara weren't autocomoleted (rule, condition, strings,...) and it took me several minutes to understand that the plugin just lacks this autocomolete, as I expected these words to be autocomoleted.

For your question, I use snippets mainly for rule and for meta. Rarely I use snippets for common conditions like pe header, elf header, etc. I.E I do, but it's rare

[MatejKastak]

Thank you both for the valuable feedback!

Action items in this PR:

• implement a default rule snippet from the gif
• implement a default rule snippet based on CCCS-YARA
• add snippets that interact with the clipboard pasteRegex, pasteString, $c, $re, $s

I will extract some ideas from this conversation and transform them to issues:

1. "basic keywords in Yara weren't autocompleted" you are not the first one to ask for that, so I think this should be included. Add support for completing YARA keywords.
2. Implement system for dynamic snippets, similar to vscode-yara, but still keep the default snippets.
3. Create new YLS plugin adding support for CCCS-YARA, this would include linting/validation. We can then move from that. Basic completion then malware + category completion.

I am not sure how we could do this:

Additional metadata enhancements, like to updating the last_modified metadata when the rule fingerprint changes, would be nice, but is less important.

[ITAYC0HEN]

Thank you Matej! :)