Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve sysfs vulnerability parsing #568

Merged
merged 2 commits into from Sep 22, 2023
Merged

Improve sysfs vulnerability parsing #568

merged 2 commits into from Sep 22, 2023

Conversation

jopelima
Copy link
Contributor

@jopelima jopelima commented Sep 15, 2023
edited

The existing sysfs vulnerability parsing routines expected the data provided by the kernel to start with either "Not Affected"/"Vulnerable"/"Mitigation"; however, there are a handful of vulnerabilities that can provide data not matching this expectation:

Testing the existing implementation of a VM results in a error being generated:

root@debian:~/node_exporter# ./node_exporter --collector.cpu_vulnerabilities &
root@debian:~/node_exporter# curl localhost:9100/metrics | grep cpu
2023-09-14T09:12:18.615Z caller=collector.go:169 level=error msg="collector failed" name=cpu_vulnerabilities duration_seconds=0.000116497 err="failed to get vulnerabilities: unknown vulnerability state for itlb_multihit: KVM: Mitigation: VMX unsupported"

This PR modifies the vulnerability parsing to make use of a 4th state ("Unknown"), which is used when the vulnerability information can't be parsed to any of the other vulnerability states, and output the information provided by the kernel, rather than erroring out.

Vulnerability parsing tests have been updated to include the aforementioned vulnerability data.

@jopelima
Improve sysfs vulnerability parsing
5cf67f2 
The existing sysfs vulnerability parsing routines expected the data provided by the kernel to start with either "Not Affected"/"Vulnerable"/"Mitigation"; however, there are a handful of vulnerabilities that can provide data not matching this expectation:

- https://elixir.bootlin.com/linux/v6.1.53/source/arch/x86/kernel/cpu/bugs.c#L2519
- https://elixir.bootlin.com/linux/v6.1.53/source/arch/x86/kernel/cpu/bugs.c#L546
- https://elixir.bootlin.com/linux/v6.1.53/source/arch/x86/kernel/cpu/bugs.c#L2578

Modify the vulnerability parsing to make use of a 4th state ("Unknown"), which is used when the vulnerability information can't be parsed to any of the other vulnerability states, and output the information provided by the kernel, rather than erroring out.

Vulnerability parsing tests have been updated to include the aforementioned vulnerability data.

Signed-off-by: João Lima <jlima@cloudflare.com>
discordianfish
discordianfish approved these changes Sep 20, 2023
View reviewed changes
Copy link
Member

@discordianfish discordianfish left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@SuperQ
Copy link
Member

SuperQ commented Sep 20, 2023

CI fix is here: #573

@SuperQ SuperQ merged commit 5056707 into prometheus:master Sep 22, 2023
7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@discordianfish discordianfish discordianfish approved these changes

@SuperQ SuperQ SuperQ approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@jopelima @SuperQ @discordianfish