From 03b4c5e0041df1e19afde977f0569d28699ce40e Mon Sep 17 00:00:00 2001 From: Michal Wasilewski Date: Thu, 1 Jun 2023 16:17:31 +0200 Subject: [PATCH 01/10] add tests for sysfs vulnerabilities Signed-off-by: Michal Wasilewski --- sysfs/vulnerability.go | 2 +- sysfs/vulnerability_test.go | 40 +++++++++++++++++++++++++++++++++++++ testdata/fixtures.ttar | 33 ++++++++++++++++++++++++++++++ 3 files changed, 74 insertions(+), 1 deletion(-) create mode 100644 sysfs/vulnerability_test.go diff --git a/sysfs/vulnerability.go b/sysfs/vulnerability.go index 87e701602..530f590aa 100644 --- a/sysfs/vulnerability.go +++ b/sysfs/vulnerability.go @@ -24,7 +24,7 @@ import ( ) const ( - notAffected = "Not Affected" + notAffected = "Not affected" vulnerable = "Vulnerable" mitigation = "Mitigation" ) diff --git a/sysfs/vulnerability_test.go b/sysfs/vulnerability_test.go new file mode 100644 index 000000000..3cc337b16 --- /dev/null +++ b/sysfs/vulnerability_test.go @@ -0,0 +1,40 @@ +package sysfs + +import ( + "reflect" + "testing" +) + +func TestFS_CPUVulnerabilities(t *testing.T) { + sysFs, err := NewFS(sysTestFixtures) + if err != nil { + t.Fatal(err) + } + + tests := []struct { + name string + want []Vulnerability + wantErr bool + }{ + {"TestFS_CPUVulnerabilities", []Vulnerability{ + {CodeName: "itlb_multihit", State: "Not affected", Mitigation: ""}, + {CodeName: "retbleed", State: "Mitigation", Mitigation: "untrained return thunk; SMT enabled with STIBP protection"}, + {CodeName: "spec_store_bypass", State: "Mitigation", Mitigation: "Speculative Store Bypass disabled via prctl"}, + {CodeName: "spectre_v1", State: "Mitigation", Mitigation: "usercopy/swapgs barriers and __user pointer sanitization"}, + {CodeName: "spectre_v2", State: "Mitigation", Mitigation: "Retpolines, IBPB: conditional, STIBP: always-on, RSB filling, PBRSB-eIBRS: Not affected"}, + {CodeName: "tsx_async_abort", State: "Not affected", Mitigation: ""}, + }, false}, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + got, err := sysFs.CPUVulnerabilities() + if (err != nil) != tt.wantErr { + t.Errorf("CPUVulnerabilities() error = %v, wantErr %v", err, tt.wantErr) + return + } + if !reflect.DeepEqual(got, tt.want) { + t.Errorf("CPUVulnerabilities() got = %v, want %v", got, tt.want) + } + }) + } +} diff --git a/testdata/fixtures.ttar b/testdata/fixtures.ttar index cc2ff45d8..9de25385a 100644 --- a/testdata/fixtures.ttar +++ b/testdata/fixtures.ttar @@ -13234,6 +13234,39 @@ Lines: 1 2 Mode: 664 # ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +Directory: fixtures/sys/devices/system/cpu/vulnerabilities +Mode: 755 +# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +Path: fixtures/sys/devices/system/cpu/vulnerabilities/itlb_multihit +Lines: 1 +Not affected +Mode: 444 +# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +Path: fixtures/sys/devices/system/cpu/vulnerabilities/retbleed +Lines: 1 +Mitigation: untrained return thunk; SMT enabled with STIBP protection +Mode: 444 +# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +Path: fixtures/sys/devices/system/cpu/vulnerabilities/spec_store_bypass +Lines: 1 +Mitigation: Speculative Store Bypass disabled via prctl +Mode: 444 +# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +Path: fixtures/sys/devices/system/cpu/vulnerabilities/spectre_v1 +Lines: 1 +Mitigation: usercopy/swapgs barriers and __user pointer sanitization +Mode: 444 +# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +Path: fixtures/sys/devices/system/cpu/vulnerabilities/spectre_v2 +Lines: 1 +Mitigation: Retpolines, IBPB: conditional, STIBP: always-on, RSB filling, PBRSB-eIBRS: Not affected +Mode: 444 +# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +Path: fixtures/sys/devices/system/cpu/vulnerabilities/tsx_async_abort +Lines: 1 +Not affected +Mode: 444 +# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Directory: fixtures/sys/devices/system/node Mode: 775 # ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - From fd0c9fd7fec62ebf6ce4d931b6335a3ad8d94f9e Mon Sep 17 00:00:00 2001 From: Michal Wasilewski Date: Fri, 2 Jun 2023 14:59:51 +0200 Subject: [PATCH 02/10] use a vulnerability indexed map instead of a slice Signed-off-by: Michal Wasilewski --- sysfs/vulnerability.go | 24 +++++++++++------------ sysfs/vulnerability_test.go | 39 ++++++++++++++++++++----------------- 2 files changed, 33 insertions(+), 30 deletions(-) diff --git a/sysfs/vulnerability.go b/sysfs/vulnerability.go index 530f590aa..9d31569b1 100644 --- a/sysfs/vulnerability.go +++ b/sysfs/vulnerability.go @@ -24,33 +24,33 @@ import ( ) const ( - notAffected = "Not affected" + notAffected = "Not affected" // based on: https://www.kernel.org/doc/Documentation/ABI/testing/sysfs-devices-system-cpu vulnerable = "Vulnerable" mitigation = "Mitigation" ) // CPUVulnerabilities retrieves a map of vulnerability names to their mitigations. -func (fs FS) CPUVulnerabilities() ([]Vulnerability, error) { - matches, err := filepath.Glob(fs.sys.Path("devices/system/cpu/vulnerabilities/*")) +func (fs FS) CPUVulnerabilities() (map[string]*Vulnerability, error) { + matchingFilepaths, err := filepath.Glob(fs.sys.Path("devices/system/cpu/vulnerabilities/*")) if err != nil { return nil, err } - vulnerabilities := make([]Vulnerability, 0, len(matches)) - for _, match := range matches { - name := filepath.Base(match) + vulnerabilities := make(map[string]*Vulnerability, len(matchingFilepaths)) + for _, path := range matchingFilepaths { + filename := filepath.Base(path) - value, err := os.ReadFile(match) + rawContent, err := os.ReadFile(path) if err != nil { return nil, err } - v, err := parseVulnerability(name, string(value)) + v, err := parseVulnerability(filename, string(rawContent)) if err != nil { return nil, err } - vulnerabilities = append(vulnerabilities, v) + vulnerabilities[filename] = v } return vulnerabilities, nil @@ -63,8 +63,8 @@ type Vulnerability struct { Mitigation string } -func parseVulnerability(name, value string) (Vulnerability, error) { - v := Vulnerability{CodeName: name} +func parseVulnerability(name, value string) (*Vulnerability, error) { + v := &Vulnerability{CodeName: name} value = strings.TrimSpace(value) if value == notAffected { v.State = notAffected @@ -83,5 +83,5 @@ func parseVulnerability(name, value string) (Vulnerability, error) { return v, nil } - return v, fmt.Errorf("unknown vulnerability state for %s: %s", name, value) + return nil, fmt.Errorf("unknown vulnerability state for %s: %s", name, value) } diff --git a/sysfs/vulnerability_test.go b/sysfs/vulnerability_test.go index 3cc337b16..9780f4448 100644 --- a/sysfs/vulnerability_test.go +++ b/sysfs/vulnerability_test.go @@ -1,6 +1,7 @@ package sysfs import ( + "fmt" "reflect" "testing" ) @@ -8,32 +9,34 @@ import ( func TestFS_CPUVulnerabilities(t *testing.T) { sysFs, err := NewFS(sysTestFixtures) if err != nil { - t.Fatal(err) + t.Fatal(fmt.Errorf("failed to get sysfs FS: %w", err)) + } + got, err := sysFs.CPUVulnerabilities() + if err != nil { + t.Fatal(fmt.Errorf("failed to parse sysfs vulnerabilities files: %w", err)) } tests := []struct { - name string - want []Vulnerability - wantErr bool + name string + vulnerabilityName string + want *Vulnerability + wantErr bool }{ - {"TestFS_CPUVulnerabilities", []Vulnerability{ - {CodeName: "itlb_multihit", State: "Not affected", Mitigation: ""}, - {CodeName: "retbleed", State: "Mitigation", Mitigation: "untrained return thunk; SMT enabled with STIBP protection"}, - {CodeName: "spec_store_bypass", State: "Mitigation", Mitigation: "Speculative Store Bypass disabled via prctl"}, - {CodeName: "spectre_v1", State: "Mitigation", Mitigation: "usercopy/swapgs barriers and __user pointer sanitization"}, - {CodeName: "spectre_v2", State: "Mitigation", Mitigation: "Retpolines, IBPB: conditional, STIBP: always-on, RSB filling, PBRSB-eIBRS: Not affected"}, - {CodeName: "tsx_async_abort", State: "Not affected", Mitigation: ""}, - }, false}, + {"Not affected", "itlb_multihit", &Vulnerability{CodeName: "itlb_multihit", State: notAffected, Mitigation: ""}, false}, + {"Not affected with underscores", "tsx_async_abort", &Vulnerability{CodeName: "tsx_async_abort", State: notAffected, Mitigation: ""}, false}, + {"Mitigation simple string", "spec_store_bypass", &Vulnerability{CodeName: "spec_store_bypass", State: mitigation, Mitigation: "Speculative Store Bypass disabled via prctl"}, false}, + {"Mitigation special chars", "retbleed", &Vulnerability{CodeName: "retbleed", State: mitigation, Mitigation: "untrained return thunk; SMT enabled with STIBP protection"}, false}, + {"Mitigation more special chars", "spectre_v1", &Vulnerability{CodeName: "spectre_v1", State: mitigation, Mitigation: "usercopy/swapgs barriers and __user pointer sanitization"}, false}, + {"Mitigation with multiple subsections", "spectre_v2", &Vulnerability{CodeName: "spectre_v2", State: mitigation, Mitigation: "Retpolines, IBPB: conditional, STIBP: always-on, RSB filling, PBRSB-eIBRS: Not affected"}, false}, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - got, err := sysFs.CPUVulnerabilities() - if (err != nil) != tt.wantErr { - t.Errorf("CPUVulnerabilities() error = %v, wantErr %v", err, tt.wantErr) - return + gotVulnerability, ok := got[tt.vulnerabilityName] + if !ok && !tt.wantErr { + t.Errorf("CPUVulnerabilities() vulnerability %s not found", tt.vulnerabilityName) } - if !reflect.DeepEqual(got, tt.want) { - t.Errorf("CPUVulnerabilities() got = %v, want %v", got, tt.want) + if !reflect.DeepEqual(gotVulnerability, tt.want) { + t.Errorf("CPUVulnerabilities() gotVulnerability = %v, want %v", gotVulnerability, tt.want) } }) } From a29789547d2f6bc223a7d7a5702117a9d73f57f4 Mon Sep 17 00:00:00 2001 From: Michal Wasilewski Date: Fri, 2 Jun 2023 15:43:55 +0200 Subject: [PATCH 03/10] switch to encoding for vuln state instead of plain strings Signed-off-by: Michal Wasilewski --- sysfs/vulnerability.go | 38 +++++++++++++++++++++++++------------ sysfs/vulnerability_test.go | 12 ++++++------ 2 files changed, 32 insertions(+), 18 deletions(-) diff --git a/sysfs/vulnerability.go b/sysfs/vulnerability.go index 9d31569b1..11d38b2e3 100644 --- a/sysfs/vulnerability.go +++ b/sysfs/vulnerability.go @@ -29,6 +29,20 @@ const ( mitigation = "Mitigation" ) +const ( + VulnerabilityStateNotAffected = iota + VulnerabilityStateVulnerable + VulnerabilityStateMitigation +) + +var ( + VulnerabilityHumanEncoding = map[int]string{ + VulnerabilityStateNotAffected: notAffected, + VulnerabilityStateVulnerable: vulnerable, + VulnerabilityStateMitigation: mitigation, + } +) + // CPUVulnerabilities retrieves a map of vulnerability names to their mitigations. func (fs FS) CPUVulnerabilities() (map[string]*Vulnerability, error) { matchingFilepaths, err := filepath.Glob(fs.sys.Path("devices/system/cpu/vulnerabilities/*")) @@ -59,29 +73,29 @@ func (fs FS) CPUVulnerabilities() (map[string]*Vulnerability, error) { // Vulnerability represents a single vulnerability extracted from /sys/devices/system/cpu/vulnerabilities/. type Vulnerability struct { CodeName string - State string + State int Mitigation string } -func parseVulnerability(name, value string) (*Vulnerability, error) { +func parseVulnerability(name, rawContent string) (*Vulnerability, error) { v := &Vulnerability{CodeName: name} - value = strings.TrimSpace(value) - if value == notAffected { - v.State = notAffected + rawContent = strings.TrimSpace(rawContent) + if rawContent == notAffected { + v.State = VulnerabilityStateNotAffected return v, nil } - if strings.HasPrefix(value, vulnerable) { - v.State = vulnerable - v.Mitigation = strings.TrimPrefix(strings.TrimPrefix(value, vulnerable), ": ") + if strings.HasPrefix(rawContent, vulnerable) { + v.State = VulnerabilityStateVulnerable + v.Mitigation = strings.TrimPrefix(strings.TrimPrefix(rawContent, vulnerable), ": ") return v, nil } - if strings.HasPrefix(value, mitigation) { - v.State = mitigation - v.Mitigation = strings.TrimPrefix(strings.TrimPrefix(value, mitigation), ": ") + if strings.HasPrefix(rawContent, mitigation) { + v.State = VulnerabilityStateMitigation + v.Mitigation = strings.TrimPrefix(strings.TrimPrefix(rawContent, mitigation), ": ") return v, nil } - return nil, fmt.Errorf("unknown vulnerability state for %s: %s", name, value) + return nil, fmt.Errorf("unknown vulnerability state for %s: %s", name, rawContent) } diff --git a/sysfs/vulnerability_test.go b/sysfs/vulnerability_test.go index 9780f4448..6f457006f 100644 --- a/sysfs/vulnerability_test.go +++ b/sysfs/vulnerability_test.go @@ -22,12 +22,12 @@ func TestFS_CPUVulnerabilities(t *testing.T) { want *Vulnerability wantErr bool }{ - {"Not affected", "itlb_multihit", &Vulnerability{CodeName: "itlb_multihit", State: notAffected, Mitigation: ""}, false}, - {"Not affected with underscores", "tsx_async_abort", &Vulnerability{CodeName: "tsx_async_abort", State: notAffected, Mitigation: ""}, false}, - {"Mitigation simple string", "spec_store_bypass", &Vulnerability{CodeName: "spec_store_bypass", State: mitigation, Mitigation: "Speculative Store Bypass disabled via prctl"}, false}, - {"Mitigation special chars", "retbleed", &Vulnerability{CodeName: "retbleed", State: mitigation, Mitigation: "untrained return thunk; SMT enabled with STIBP protection"}, false}, - {"Mitigation more special chars", "spectre_v1", &Vulnerability{CodeName: "spectre_v1", State: mitigation, Mitigation: "usercopy/swapgs barriers and __user pointer sanitization"}, false}, - {"Mitigation with multiple subsections", "spectre_v2", &Vulnerability{CodeName: "spectre_v2", State: mitigation, Mitigation: "Retpolines, IBPB: conditional, STIBP: always-on, RSB filling, PBRSB-eIBRS: Not affected"}, false}, + {"Not affected", "itlb_multihit", &Vulnerability{CodeName: "itlb_multihit", State: VulnerabilityStateNotAffected, Mitigation: ""}, false}, + {"Not affected with underscores", "tsx_async_abort", &Vulnerability{CodeName: "tsx_async_abort", State: VulnerabilityStateNotAffected, Mitigation: ""}, false}, + {"Mitigation simple string", "spec_store_bypass", &Vulnerability{CodeName: "spec_store_bypass", State: VulnerabilityStateMitigation, Mitigation: "Speculative Store Bypass disabled via prctl"}, false}, + {"Mitigation special chars", "retbleed", &Vulnerability{CodeName: "retbleed", State: VulnerabilityStateMitigation, Mitigation: "untrained return thunk; SMT enabled with STIBP protection"}, false}, + {"Mitigation more special chars", "spectre_v1", &Vulnerability{CodeName: "spectre_v1", State: VulnerabilityStateMitigation, Mitigation: "usercopy/swapgs barriers and __user pointer sanitization"}, false}, + {"Mitigation with multiple subsections", "spectre_v2", &Vulnerability{CodeName: "spectre_v2", State: VulnerabilityStateMitigation, Mitigation: "Retpolines, IBPB: conditional, STIBP: always-on, RSB filling, PBRSB-eIBRS: Not affected"}, false}, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { From 254efce8e1cbfdf31cd5b70bffd8a374b970127e Mon Sep 17 00:00:00 2001 From: Michal Wasilewski Date: Fri, 2 Jun 2023 16:35:21 +0200 Subject: [PATCH 04/10] add missing license in the test file Signed-off-by: Michal Wasilewski --- sysfs/vulnerability_test.go | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/sysfs/vulnerability_test.go b/sysfs/vulnerability_test.go index 6f457006f..4526d4d05 100644 --- a/sysfs/vulnerability_test.go +++ b/sysfs/vulnerability_test.go @@ -1,3 +1,16 @@ +// Copyright 2019 The Prometheus Authors +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + package sysfs import ( From 9c26b1dda0afe0f7755a95e3b77fa439bfd10c9e Mon Sep 17 00:00:00 2001 From: Michal Wasilewski Date: Fri, 2 Jun 2023 16:38:08 +0200 Subject: [PATCH 05/10] add missing build tags Signed-off-by: Michal Wasilewski --- sysfs/vulnerability_test.go | 3 +++ 1 file changed, 3 insertions(+) diff --git a/sysfs/vulnerability_test.go b/sysfs/vulnerability_test.go index 4526d4d05..5cede084c 100644 --- a/sysfs/vulnerability_test.go +++ b/sysfs/vulnerability_test.go @@ -11,6 +11,9 @@ // See the License for the specific language governing permissions and // limitations under the License. +//go:build linux +// +build linux + package sysfs import ( From 1faaea25035fe70d164db816bc46bb5691dc1374 Mon Sep 17 00:00:00 2001 From: Michal Wasilewski Date: Fri, 2 Jun 2023 17:19:34 +0200 Subject: [PATCH 06/10] add test cases for vulnerable, unify char cases when parsing state Signed-off-by: Michal Wasilewski --- sysfs/vulnerability.go | 24 ++++++++++++++++-------- sysfs/vulnerability_test.go | 2 ++ testdata/fixtures.ttar | 10 ++++++++++ 3 files changed, 28 insertions(+), 8 deletions(-) diff --git a/sysfs/vulnerability.go b/sysfs/vulnerability.go index 11d38b2e3..f6d950d52 100644 --- a/sysfs/vulnerability.go +++ b/sysfs/vulnerability.go @@ -24,9 +24,9 @@ import ( ) const ( - notAffected = "Not affected" // based on: https://www.kernel.org/doc/Documentation/ABI/testing/sysfs-devices-system-cpu - vulnerable = "Vulnerable" - mitigation = "Mitigation" + notAffected = "not affected" // based on: https://www.kernel.org/doc/Documentation/ABI/testing/sysfs-devices-system-cpu + vulnerable = "vulnerable" + mitigation = "mitigation" ) const ( @@ -80,20 +80,28 @@ type Vulnerability struct { func parseVulnerability(name, rawContent string) (*Vulnerability, error) { v := &Vulnerability{CodeName: name} rawContent = strings.TrimSpace(rawContent) - if rawContent == notAffected { + rawContentLower := strings.ToLower(rawContent) + + if strings.HasPrefix(rawContentLower, notAffected) { v.State = VulnerabilityStateNotAffected return v, nil } - if strings.HasPrefix(rawContent, vulnerable) { + if strings.HasPrefix(rawContentLower, vulnerable) { v.State = VulnerabilityStateVulnerable - v.Mitigation = strings.TrimPrefix(strings.TrimPrefix(rawContent, vulnerable), ": ") + m := strings.Fields(rawContent) + if len(m) > 1 { + v.Mitigation = strings.Join(m[1:], " ") + } return v, nil } - if strings.HasPrefix(rawContent, mitigation) { + if strings.HasPrefix(rawContentLower, mitigation) { v.State = VulnerabilityStateMitigation - v.Mitigation = strings.TrimPrefix(strings.TrimPrefix(rawContent, mitigation), ": ") + m := strings.Fields(rawContent) + if len(m) > 1 { + v.Mitigation = strings.Join(m[1:], " ") + } return v, nil } diff --git a/sysfs/vulnerability_test.go b/sysfs/vulnerability_test.go index 5cede084c..89f9e6119 100644 --- a/sysfs/vulnerability_test.go +++ b/sysfs/vulnerability_test.go @@ -44,6 +44,8 @@ func TestFS_CPUVulnerabilities(t *testing.T) { {"Mitigation special chars", "retbleed", &Vulnerability{CodeName: "retbleed", State: VulnerabilityStateMitigation, Mitigation: "untrained return thunk; SMT enabled with STIBP protection"}, false}, {"Mitigation more special chars", "spectre_v1", &Vulnerability{CodeName: "spectre_v1", State: VulnerabilityStateMitigation, Mitigation: "usercopy/swapgs barriers and __user pointer sanitization"}, false}, {"Mitigation with multiple subsections", "spectre_v2", &Vulnerability{CodeName: "spectre_v2", State: VulnerabilityStateMitigation, Mitigation: "Retpolines, IBPB: conditional, STIBP: always-on, RSB filling, PBRSB-eIBRS: Not affected"}, false}, + {"Vulnerable", "mds", &Vulnerability{CodeName: "mds", State: VulnerabilityStateVulnerable, Mitigation: ""}, false}, + {"Vulnerable with mitigation available", "mmio_stale_data", &Vulnerability{CodeName: "mmio_stale_data", State: VulnerabilityStateVulnerable, Mitigation: "Clear CPU buffers attempted, no microcode"}, false}, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { diff --git a/testdata/fixtures.ttar b/testdata/fixtures.ttar index 9de25385a..decfe168b 100644 --- a/testdata/fixtures.ttar +++ b/testdata/fixtures.ttar @@ -13242,6 +13242,16 @@ Lines: 1 Not affected Mode: 444 # ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +Path: fixtures/sys/devices/system/cpu/vulnerabilities/mds +Lines: 1 +Vulnerable +Mode: 644 +# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +Path: fixtures/sys/devices/system/cpu/vulnerabilities/mmio_stale_data +Lines: 1 +Vulnerable: Clear CPU buffers attempted, no microcode +Mode: 644 +# ttar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Path: fixtures/sys/devices/system/cpu/vulnerabilities/retbleed Lines: 1 Mitigation: untrained return thunk; SMT enabled with STIBP protection From 953794ad7f7ee30bcb250e8a32cb8b5fd3e9dc40 Mon Sep 17 00:00:00 2001 From: Michal Date: Mon, 5 Jun 2023 16:48:12 +0200 Subject: [PATCH 07/10] Update sysfs/vulnerability_test.go Co-authored-by: Ben Kochie Signed-off-by: Michal --- sysfs/vulnerability_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sysfs/vulnerability_test.go b/sysfs/vulnerability_test.go index 89f9e6119..255586d83 100644 --- a/sysfs/vulnerability_test.go +++ b/sysfs/vulnerability_test.go @@ -1,4 +1,4 @@ -// Copyright 2019 The Prometheus Authors +// Copyright 2023 The Prometheus Authors // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at From 309694318d01b0675aa10e3edc3db0d7fe6c0805 Mon Sep 17 00:00:00 2001 From: Michal Wasilewski Date: Mon, 5 Jun 2023 17:11:43 +0200 Subject: [PATCH 08/10] minor update to the readme Signed-off-by: Michal Wasilewski --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 43c37735a..1224816c2 100644 --- a/README.md +++ b/README.md @@ -51,11 +51,11 @@ ensure the `fixtures` directory is up to date by removing the existing directory extracting the ttar file using `make fixtures/.unpacked` or just `make test`. ```bash -rm -rf fixtures +rm -rf testdata/fixtures make test ``` Next, make the required changes to the extracted files in the `fixtures` directory. When the changes are complete, run `make update_fixtures` to create a new `fixtures.ttar` file based on the updated `fixtures` directory. And finally, verify the changes using -`git diff fixtures.ttar`. +`git diff testdata/fixtures.ttar`. From fbbf0028726dd252fab7ef00a75f6da236cd2372 Mon Sep 17 00:00:00 2001 From: Michal Wasilewski Date: Mon, 12 Jun 2023 12:14:57 +0200 Subject: [PATCH 09/10] use switch instead of multiple ifs (no semantic changes) Signed-off-by: Michal Wasilewski --- sysfs/vulnerability.go | 21 ++++++++------------- 1 file changed, 8 insertions(+), 13 deletions(-) diff --git a/sysfs/vulnerability.go b/sysfs/vulnerability.go index f6d950d52..1de8f7f13 100644 --- a/sysfs/vulnerability.go +++ b/sysfs/vulnerability.go @@ -81,29 +81,24 @@ func parseVulnerability(name, rawContent string) (*Vulnerability, error) { v := &Vulnerability{CodeName: name} rawContent = strings.TrimSpace(rawContent) rawContentLower := strings.ToLower(rawContent) - - if strings.HasPrefix(rawContentLower, notAffected) { + switch { + case strings.HasPrefix(rawContentLower, notAffected): v.State = VulnerabilityStateNotAffected - return v, nil - } - - if strings.HasPrefix(rawContentLower, vulnerable) { + case strings.HasPrefix(rawContentLower, vulnerable): v.State = VulnerabilityStateVulnerable m := strings.Fields(rawContent) if len(m) > 1 { v.Mitigation = strings.Join(m[1:], " ") } - return v, nil - } - - if strings.HasPrefix(rawContentLower, mitigation) { + case strings.HasPrefix(rawContentLower, mitigation): v.State = VulnerabilityStateMitigation m := strings.Fields(rawContent) if len(m) > 1 { v.Mitigation = strings.Join(m[1:], " ") } - return v, nil - } + default: + return nil, fmt.Errorf("unknown vulnerability state for %s: %s", name, rawContent) - return nil, fmt.Errorf("unknown vulnerability state for %s: %s", name, rawContent) + } + return v, nil } From 3197304d92bac708bceb7a80d1a7162d437ba59f Mon Sep 17 00:00:00 2001 From: Michal Wasilewski Date: Thu, 15 Jun 2023 10:11:17 +0200 Subject: [PATCH 10/10] Explain purpose of VulnerabilityHumanEncoding adds a go doc explaining the purpose of the map containing mapping from int encoded state to human friendly strings Signed-off-by: Michal Wasilewski --- sysfs/vulnerability.go | 2 ++ 1 file changed, 2 insertions(+) diff --git a/sysfs/vulnerability.go b/sysfs/vulnerability.go index 1de8f7f13..08927a21c 100644 --- a/sysfs/vulnerability.go +++ b/sysfs/vulnerability.go @@ -36,6 +36,8 @@ const ( ) var ( + // VulnerabilityHumanEncoding allows mapping the vulnerability state (encoded as an int) onto a human friendly + // string. It can be used by consumers of this library to expose to the user the state of the vulnerability. VulnerabilityHumanEncoding = map[int]string{ VulnerabilityStateNotAffected: notAffected, VulnerabilityStateVulnerable: vulnerable,