feat: add VSIX module for parsing VS Code extensions

[dguido]

Summary

Add a new module for parsing Visual Studio Code Extension (VSIX) files, enabling YARA rules to match on extension metadata and security-relevant properties.

This module is designed for security analysis of VS Code extensions, similar to how the existing crx module handles Chrome extensions.

Fields exposed

Field	Description
name, display_name, publisher, version, id	Extension identity
main, browser	Entry points (security-critical)
activation_events	Array of activation triggers
vscode_version	Required VS Code version
repository, homepage, license	Metadata
categories, keywords	Classification
files	List of files in archive

Functions

Function	Description
activationhash()	SHA-256 hash of sorted activation events
has_activation_event(event)	Check for specific activation event

Example rules

import "vsix"

// Detect extensions with wildcard activation (potentially suspicious)
rule wildcard_activation {
  condition:
    vsix.is_vsix and vsix.has_activation_event("*")
}

// Find extensions by publisher
rule anthropic_extension {
  condition:
    vsix.is_vsix and vsix.publisher iequals "anthropic"
}

// Theme extensions (no code entry points)
rule theme_only {
  condition:
    vsix.is_vsix and
    not defined vsix.main and
    not defined vsix.browser and
    for any cat in vsix.categories : (cat == "Themes")
}

Test plan

• 11 unit tests covering all fields and functions
• All tests pass

cargo test -p yara-x vsix

🤖 Generated with Claude Code

[google-cla]

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

[dguido]

Hey @plusvic , let me know if you want some help testing this feature out. I have a few rules I can share. I also put together a repository of known malicious VS Code extensions here: https://github.com/trailofbits/vsix-zoo

[plusvic]

The code looks good, my only request is implementing the tests cases in the same way that the rest of the modules. A few VSIX test files and their expected output. The reason is twofold:

1. Homogeneity. All modules are tested in the same way.
2. Golden files are very handy when you have to do massive updates. If you add a field to the module you don't need to modify test cases manually, you can automatically update the files with the expected ouputs.

[dguido]

Sounds good. I'll work on that tomorrow.