Add VulnerabilityStats() to for kernel vulnerabilities

See prometheus/node_exporter#1046 Signed-off-by: Ivan Babrou <[email protected]>
prometheus · Jul 12, 2019 · 7c1ba21 · 7c1ba21
1 parent 8f55e60
commit 7c1ba21
Show file tree

Hide file tree

Showing 2 changed files with 86 additions and 0 deletions.
diff --git a/cpu/vulnerability.go b/cpu/vulnerability.go
@@ -0,0 +1,53 @@
+package cpu
+
+import (
+	"fmt"
+	"strings"
+)
+
+const (
+	notAffectedSysFsValue = "Not Affected"
+	vulnerableSysFsValue  = "Vulnerable"
+	mitigationSysFsValue  = "Mitigation"
+)
+
+const (
+	NotAffected VulnerabilityState = "not affected"
+	Vulnerable  VulnerabilityState = "vulnerable"
+	Mitigation  VulnerabilityState = "mitigation"
+)
+
+type VulnerabilityState string
+
+func (s VulnerabilityState) String() string {
+	return string(s)
+}
+
+type Vulnerability struct {
+	CodeName   string
+	State      VulnerabilityState
+	Mitigation string
+}
+
+func ParseVulnerability(name, value string) (Vulnerability, error) {
+	v := Vulnerability{CodeName: name}
+
+	if value == notAffectedSysFsValue {
+		v.State = NotAffected
+		return v, nil
+	}
+
+	if strings.HasPrefix(value, vulnerableSysFsValue) {
+		v.State = Vulnerable
+		v.Mitigation = strings.TrimPrefix(strings.TrimPrefix(value, vulnerableSysFsValue), ": ")
+		return v, nil
+	}
+
+	if strings.HasPrefix(value, mitigationSysFsValue) {
+		v.State = Mitigation
+		v.Mitigation = strings.TrimPrefix(strings.TrimPrefix(value, mitigationSysFsValue), ": ")
+		return v, nil
+	}
+
+	return v, fmt.Errorf("unknown vulnerability state for %s: %s", name, value)
+}
diff --git a/sysfs/fs.go b/sysfs/fs.go
@@ -14,7 +14,13 @@
 package sysfs
 
 import (
+	"io/ioutil"
+	"path/filepath"
+	"strings"
+
 	"github.com/prometheus/procfs/internal/fs"
+
+	"github.com/prometheus/procfs/cpu"
 )
 
 // FS represents the pseudo-filesystem sys, which provides an interface to
@@ -41,3 +47,30 @@ func NewFS(mountPoint string) (FS, error) {
 	}
 	return FS{fs}, nil
 }
+
+// BcacheStats retrieves a map of vulnerability names to their mitigations.
+func (fs FS) CPUVulnerabilities() ([]cpu.Vulnerability, error) {
+	matches, err := filepath.Glob(fs.Path("devices/system/cpu/vulnerabilities/*"))
+	if err != nil {
+		return nil, err
+	}
+
+	vulnerabilities := make([]cpu.Vulnerability, 0, len(matches))
+	for _, match := range matches {
+		name := filepath.Base(match)
+
+		value, err := ioutil.ReadFile(match)
+		if err != nil {
+			return nil, err
+		}
+
+		v, err := cpu.ParseVulnerability(name, strings.TrimSpace(string(value)))
+		if err != nil {
+			return nil, err
+		}
+
+		vulnerabilities = append(vulnerabilities, v)
+	}
+
+	return vulnerabilities, nil
+}