File: //proc/thread-self/root/opt/go/pkg/mod/github.com/prometheus/
[email protected]/sysfs/vulnerability.go
// Copyright 2019 The Prometheus Authors
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//go:build linux
// +build linux
package sysfs
import (
"os"
"path/filepath"
"strings"
)
const (
notAffected = "not affected" // based on: https://www.kernel.org/doc/Documentation/ABI/testing/sysfs-devices-system-cpu
vulnerable = "vulnerable"
mitigation = "mitigation"
unknown = "unknown"
)
const (
VulnerabilityStateNotAffected = iota
VulnerabilityStateVulnerable
VulnerabilityStateMitigation
VulnerabilityStateUnknown
)
var (
// VulnerabilityHumanEncoding allows mapping the vulnerability state (encoded as an int) onto a human friendly
// string. It can be used by consumers of this library to expose to the user the state of the vulnerability.
VulnerabilityHumanEncoding = map[int]string{
VulnerabilityStateNotAffected: notAffected,
VulnerabilityStateVulnerable: vulnerable,
VulnerabilityStateMitigation: mitigation,
VulnerabilityStateUnknown: unknown,
}
)
// CPUVulnerabilities retrieves a map of vulnerability names to their mitigations.
func (fs FS) CPUVulnerabilities() (map[string]*Vulnerability, error) {
matchingFilepaths, err := filepath.Glob(fs.sys.Path("devices/system/cpu/vulnerabilities/*"))
if err != nil {
return nil, err
}
vulnerabilities := make(map[string]*Vulnerability, len(matchingFilepaths))
for _, path := range matchingFilepaths {
filename := filepath.Base(path)
rawContent, err := os.ReadFile(path)
if err != nil {
return nil, err
}
v, err := parseVulnerability(filename, string(rawContent))
if err != nil {
return nil, err
}
vulnerabilities[filename] = v
}
return vulnerabilities, nil
}
// Vulnerability represents a single vulnerability extracted from /sys/devices/system/cpu/vulnerabilities/.
type Vulnerability struct {
CodeName string
State int
Mitigation string
}
func parseVulnerability(name, rawContent string) (*Vulnerability, error) {
v := &Vulnerability{CodeName: name}
rawContent = strings.TrimSpace(rawContent)
rawContentLower := strings.ToLower(rawContent)
switch {
case strings.HasPrefix(rawContentLower, notAffected):
v.State = VulnerabilityStateNotAffected
case strings.HasPrefix(rawContentLower, vulnerable):
v.State = VulnerabilityStateVulnerable
m := strings.Fields(rawContent)
if len(m) > 1 {
v.Mitigation = strings.Join(m[1:], " ")
}
case strings.HasPrefix(rawContentLower, mitigation):
v.State = VulnerabilityStateMitigation
m := strings.Fields(rawContent)
if len(m) > 1 {
v.Mitigation = strings.Join(m[1:], " ")
}
case strings.HasPrefix(rawContentLower, unknown):
v.State = VulnerabilityStateUnknown
m := strings.Fields(rawContent)
if len(m) > 1 {
v.Mitigation = strings.Join(m[1:], " ")
}
default:
// Output the raw data obtained from the vulnerability, with state
// unknown, rather than erroring out
v.State = VulnerabilityStateUnknown
v.Mitigation = rawContent
}
return v, nil
}