| // Copyright The Prometheus Authors |
| // Licensed under the Apache License, Version 2.0 (the "License"); |
| // you may not use this file except in compliance with the License. |
| // You may obtain a copy of the License at |
| // |
| // http://www.apache.org/licenses/LICENSE-2.0 |
| // |
| // Unless required by applicable law or agreed to in writing, software |
| // distributed under the License is distributed on an "AS IS" BASIS, |
| // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| // See the License for the specific language governing permissions and |
| // limitations under the License. |
| |
| //go:build linux |
| |
| package sysfs |
| |
| import ( |
| "os" |
| "path/filepath" |
| "strings" |
| ) |
| |
| const ( |
| notAffected = "not affected" // based on: https://www.kernel.org/doc/Documentation/ABI/testing/sysfs-devices-system-cpu |
| vulnerable = "vulnerable" |
| mitigation = "mitigation" |
| unknown = "unknown" |
| ) |
| |
| const ( |
| VulnerabilityStateNotAffected = iota |
| VulnerabilityStateVulnerable |
| VulnerabilityStateMitigation |
| VulnerabilityStateUnknown |
| ) |
| |
| var ( |
| // VulnerabilityHumanEncoding allows mapping the vulnerability state (encoded as an int) onto a human friendly |
| // string. It can be used by consumers of this library to expose to the user the state of the vulnerability. |
| VulnerabilityHumanEncoding = map[int]string{ |
| VulnerabilityStateNotAffected: notAffected, |
| VulnerabilityStateVulnerable: vulnerable, |
| VulnerabilityStateMitigation: mitigation, |
| VulnerabilityStateUnknown: unknown, |
| } |
| ) |
| |
| // CPUVulnerabilities retrieves a map of vulnerability names to their mitigations. |
| func (fs FS) CPUVulnerabilities() (map[string]*Vulnerability, error) { |
| matchingFilepaths, err := filepath.Glob(fs.sys.Path("devices/system/cpu/vulnerabilities/*")) |
| if err != nil { |
| return nil, err |
| } |
| |
| vulnerabilities := make(map[string]*Vulnerability, len(matchingFilepaths)) |
| for _, path := range matchingFilepaths { |
| filename := filepath.Base(path) |
| |
| rawContent, err := os.ReadFile(path) |
| if err != nil { |
| return nil, err |
| } |
| |
| v, err := parseVulnerability(filename, string(rawContent)) |
| if err != nil { |
| return nil, err |
| } |
| |
| vulnerabilities[filename] = v |
| } |
| |
| return vulnerabilities, nil |
| } |
| |
| // Vulnerability represents a single vulnerability extracted from /sys/devices/system/cpu/vulnerabilities/. |
| type Vulnerability struct { |
| CodeName string |
| State int |
| Mitigation string |
| } |
| |
| func parseVulnerability(name, rawContent string) (*Vulnerability, error) { |
| v := &Vulnerability{CodeName: name} |
| rawContent = strings.TrimSpace(rawContent) |
| rawContentLower := strings.ToLower(rawContent) |
| switch { |
| case strings.HasPrefix(rawContentLower, notAffected): |
| v.State = VulnerabilityStateNotAffected |
| case strings.HasPrefix(rawContentLower, vulnerable): |
| v.State = VulnerabilityStateVulnerable |
| m := strings.Fields(rawContent) |
| if len(m) > 1 { |
| v.Mitigation = strings.Join(m[1:], " ") |
| } |
| case strings.HasPrefix(rawContentLower, mitigation): |
| v.State = VulnerabilityStateMitigation |
| m := strings.Fields(rawContent) |
| if len(m) > 1 { |
| v.Mitigation = strings.Join(m[1:], " ") |
| } |
| case strings.HasPrefix(rawContentLower, unknown): |
| v.State = VulnerabilityStateUnknown |
| m := strings.Fields(rawContent) |
| if len(m) > 1 { |
| v.Mitigation = strings.Join(m[1:], " ") |
| } |
| default: |
| // Output the raw data obtained from the vulnerability, with state |
| // unknown, rather than erroring out |
| v.State = VulnerabilityStateUnknown |
| v.Mitigation = rawContent |
| } |
| return v, nil |
| } |
