Skip to content

Add VulnerabilityStats() to for kernel vulnerabilities#106

Closed
bobrik wants to merge 3 commits intoprometheus:masterfrom
bobrik:vulnerabilities
Closed

Add VulnerabilityStats() to for kernel vulnerabilities#106
bobrik wants to merge 3 commits intoprometheus:masterfrom
bobrik:vulnerabilities

Conversation

@bobrik
Copy link
Contributor

@bobrik bobrik commented Aug 21, 2018

@bobrik bobrik force-pushed the vulnerabilities branch 2 times, most recently from 9395f5b to f1d9ebe Compare August 22, 2018 05:52
@mjtrangoni
Copy link
Contributor

mjtrangoni commented Aug 22, 2018

@bobrik @discordianfish shouldn‘t it be 0 or 1 depending if this is mitigated (mitigation) or not (vulnerable).

@bobrik
Copy link
Contributor Author

bobrik commented Aug 22, 2018

@mjtrangoni, it's not that simple:

$ cat /sys/devices/system/cpu/vulnerabilities/l1tf
Mitigation: PTE Inversion; VMX: conditional cache flushes, SMT vulnerable

I think raw value is a good tradeoff: you want to know what kind of setups you have and possibly alert if mitigation is not what you expect it to be (think slow kernel fix vs fast microcode).

@mjtrangoni
Copy link
Contributor

mjtrangoni commented Aug 22, 2018

@bobrik I know that, my point was to add value to the metric value itself, leaving your labels as they are, so that you still get the complete string description. For example, the values could be something like, Not affected 0, Mitigation: 1, and Vulnerable: 2.

@grobie
Copy link
Member

grobie commented Aug 22, 2018

Thanks a lot for your contribution!

The library aims to provide a simple interface towards the procfs/sysfs filesystems. The provided interface should mirror the naming of these filesystems, and take away the burden from go developers to parse the content on their own.

The function name should mirror the naming of file system names wherever possible. The full path is quite long, I propose CPUVulnerabilities() ([]CPUVulnerability, error).

Furthermore, the intent of this library is to take away the burden of parsing the specific file formats and providing idiomatic golang datatypes instead. Therefore, I suggest to return a struct for each vulnerability instead of a map of strings which is not a clear interface.

type CPUVulnerability struct {
	CodeName   string
	State      string
	Mitigation string
}

Following the sysfs documentation at https://www.kernel.org/doc/Documentation/ABI/testing/sysfs-devices-system-cpu, CodeName would be the filename, State one of Not Affected, Vulnerable, or Mitigated, and Mitigation the value of $M. It might even make sense to define a type CPUVulnerabilityState and three constants for the three states to guarantee type safety for the state comparison.

@bobrik
Copy link
Contributor Author

bobrik commented Aug 22, 2018

I've updated the code. Let me know if that's what you had in mind and I'll work on docs and tests.

@bobrik bobrik mentioned this pull request Nov 28, 2018
Closed
@SuperQ
Copy link
Member

SuperQ commented Nov 28, 2018

Looks like the tests failed due to missing copyright headers.

@pgier
Copy link
Collaborator

pgier commented May 22, 2019

@bobrik Any chance you can rebase this one on latest master and add the copyright header?

@discordianfish discordianfish mentioned this pull request Jul 12, 2019
Merged
@discordianfish
Copy link
Member

discordianfish commented Jul 12, 2019

I've created a new PR with these changes rebased on master.

bobrik pushed a commit to bobrik/procfs that referenced this pull request Jan 14, 2023
@eminence
Merge pull request prometheus#106 from eminence/cputime_change
248a1a7 
Store cputime in ticks, not fractional seconds
@mwasilew2 mwasilew2 mentioned this pull request Jun 2, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@bobrik @mjtrangoni @grobie @SuperQ @pgier @discordianfish