mirror of
https://github.com/speed47/spectre-meltdown-checker.git
synced 2026-06-06 22:53:03 +02:00
Compare commits
12 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
 Stéphane Lesimple
|
fd7caec415 | ||
 github-actions[bot]
|
68116d87fd | ||
|
github-actions[bot]
|
c060a2d2c9 | ||
|
github-actions[bot]
|
fe0d3f49f4 | ||
|
Stéphane Lesimple
|
73b67b4a80 | ||
|
github-actions[bot]
|
ea6b8efd18 | ||
|
github-actions[bot]
|
24d92540a7 | ||
|
github-actions[bot]
|
553a9ec60f | ||
|
Stéphane Lesimple
|
75ad60f42a | ||
|
github-actions[bot]
|
931c955765 | ||
|
github-actions[bot]
|
c5ef0c488a | ||
|
github-actions[bot]
|
99301d1cbb |
@@ -13,7 +13,7 @@ jobs:
|
|||||||
autoupdate:
|
autoupdate:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v6
|
- uses: actions/checkout@v5
|
||||||
with:
|
with:
|
||||||
ref: source
|
ref: source
|
||||||
- name: Install prerequisites
|
- name: Install prerequisites
|
||||||
|
|||||||
@@ -8,7 +8,7 @@ on:
|
|||||||
action:
|
action:
|
||||||
description: "dry-run"
|
description: "dry-run"
|
||||||
required: true
|
required: true
|
||||||
default: "apply"
|
default: "dryrun"
|
||||||
type: choice
|
type: choice
|
||||||
options:
|
options:
|
||||||
- dryrun
|
- dryrun
|
||||||
@@ -30,7 +30,4 @@ jobs:
|
|||||||
days-before-close: 7
|
days-before-close: 7
|
||||||
stale-issue-label: stale
|
stale-issue-label: stale
|
||||||
remove-stale-when-updated: true
|
remove-stale-when-updated: true
|
||||||
close-issue-reason: completed
|
|
||||||
stale-issue-message: "If there are no further comments or activity on this issue, it'll be closed automatically in 7 days."
|
|
||||||
close-issue-message: "Automatically closing this issue due to inactivity, don't hesitate to open a new issue if needed."
|
|
||||||
debug-only: ${{ case(inputs.action == 'dryrun', true, false) }}
|
debug-only: ${{ case(inputs.action == 'dryrun', true, false) }}
|
||||||
|
|||||||
@@ -45,14 +45,14 @@ jobs:
|
|||||||
# workflow file itself MUST stay on the default branch, as GitHub only
|
# workflow file itself MUST stay on the default branch, as GitHub only
|
||||||
# honors `schedule:` triggers on the default branch.
|
# honors `schedule:` triggers on the default branch.
|
||||||
- name: Checkout vuln-watch branch (scripts + prompt)
|
- name: Checkout vuln-watch branch (scripts + prompt)
|
||||||
uses: actions/checkout@v6
|
uses: actions/checkout@v5
|
||||||
with:
|
with:
|
||||||
ref: vuln-watch
|
ref: vuln-watch
|
||||||
fetch-depth: 1
|
fetch-depth: 1
|
||||||
persist-credentials: false
|
persist-credentials: false
|
||||||
|
|
||||||
- name: Set up Python
|
- name: Set up Python
|
||||||
uses: actions/setup-python@v6
|
uses: actions/setup-python@v5
|
||||||
with:
|
with:
|
||||||
python-version: '3.12'
|
python-version: '3.12'
|
||||||
|
|
||||||
@@ -84,7 +84,7 @@ jobs:
|
|||||||
|
|
||||||
- name: Download previous state artifact
|
- name: Download previous state artifact
|
||||||
if: steps.prev.outputs.run_id != ''
|
if: steps.prev.outputs.run_id != ''
|
||||||
uses: actions/download-artifact@v8
|
uses: actions/download-artifact@v5
|
||||||
continue-on-error: true # tolerate retention expiry
|
continue-on-error: true # tolerate retention expiry
|
||||||
with:
|
with:
|
||||||
name: vuln-watch-state
|
name: vuln-watch-state
|
||||||
@@ -115,7 +115,7 @@ jobs:
|
|||||||
# implemented?". Only fetched on days with something to classify.
|
# implemented?". Only fetched on days with something to classify.
|
||||||
- name: Checkout checker code (test branch) for coverage grep
|
- name: Checkout checker code (test branch) for coverage grep
|
||||||
if: steps.diff.outputs.new_count != '0' || steps.diff.outputs.reconsider_count != '0'
|
if: steps.diff.outputs.new_count != '0' || steps.diff.outputs.reconsider_count != '0'
|
||||||
uses: actions/checkout@v6
|
uses: actions/checkout@v5
|
||||||
with:
|
with:
|
||||||
ref: test
|
ref: test
|
||||||
path: checker
|
path: checker
|
||||||
@@ -150,7 +150,7 @@ jobs:
|
|||||||
|
|
||||||
- name: Upload Claude execution log
|
- name: Upload Claude execution log
|
||||||
if: ${{ always() && steps.classify.outputs.execution_file != '' }}
|
if: ${{ always() && steps.classify.outputs.execution_file != '' }}
|
||||||
uses: actions/upload-artifact@v7
|
uses: actions/upload-artifact@v5
|
||||||
with:
|
with:
|
||||||
name: claude-execution-log-${{ github.run_id }}
|
name: claude-execution-log-${{ github.run_id }}
|
||||||
path: ${{ steps.classify.outputs.execution_file }}
|
path: ${{ steps.classify.outputs.execution_file }}
|
||||||
@@ -168,7 +168,7 @@ jobs:
|
|||||||
|
|
||||||
- name: Upload new state artifact
|
- name: Upload new state artifact
|
||||||
if: always()
|
if: always()
|
||||||
uses: actions/upload-artifact@v7
|
uses: actions/upload-artifact@v5
|
||||||
with:
|
with:
|
||||||
name: vuln-watch-state
|
name: vuln-watch-state
|
||||||
path: state/seen.json
|
path: state/seen.json
|
||||||
@@ -177,7 +177,7 @@ jobs:
|
|||||||
|
|
||||||
- name: Upload daily report
|
- name: Upload daily report
|
||||||
if: always()
|
if: always()
|
||||||
uses: actions/upload-artifact@v7
|
uses: actions/upload-artifact@v5
|
||||||
with:
|
with:
|
||||||
name: vuln-watch-report-${{ github.run_id }}
|
name: vuln-watch-report-${{ github.run_id }}
|
||||||
path: |
|
path: |
|
||||||
|
|||||||
@@ -13,7 +13,7 @@
|
|||||||
#
|
#
|
||||||
# Stephane Lesimple
|
# Stephane Lesimple
|
||||||
#
|
#
|
||||||
VERSION='26.36.0602723'
|
VERSION='26.36.0601873'
|
||||||
|
|
||||||
# --- Common paths and basedirs ---
|
# --- Common paths and basedirs ---
|
||||||
readonly VULN_SYSFS_BASE="/sys/devices/system/cpu/vulnerabilities"
|
readonly VULN_SYSFS_BASE="/sys/devices/system/cpu/vulnerabilities"
|
||||||
@@ -3936,18 +3936,11 @@ parse_cpu_details() {
|
|||||||
# cpu_variant_list and cpu_revision_list are consumed by ARM64 errata affection checks
|
# cpu_variant_list and cpu_revision_list are consumed by ARM64 errata affection checks
|
||||||
# that need to match a specific revision range.
|
# that need to match a specific revision range.
|
||||||
if grep -q 'CPU implementer' "$g_procfs/cpuinfo"; then
|
if grep -q 'CPU implementer' "$g_procfs/cpuinfo"; then
|
||||||
# keep these single-line (space-separated) so consumers and outputs (JSON, prometheus)
|
cpu_impl_list=$(awk '/CPU implementer/ {print $4}' "$g_procfs/cpuinfo")
|
||||||
# don't end up with embedded newlines; per-core order is preserved for the errata checks
|
cpu_part_list=$(awk '/CPU part/ {print $4}' "$g_procfs/cpuinfo")
|
||||||
cpu_impl_list=$(awk '/CPU implementer/ {print $4}' "$g_procfs/cpuinfo" | tr '\n' ' ')
|
cpu_arch_list=$(awk '/CPU architecture/ {print $3}' "$g_procfs/cpuinfo")
|
||||||
cpu_impl_list=${cpu_impl_list% }
|
cpu_variant_list=$(awk '/CPU variant/ {print $4}' "$g_procfs/cpuinfo")
|
||||||
cpu_part_list=$(awk '/CPU part/ {print $4}' "$g_procfs/cpuinfo" | tr '\n' ' ')
|
cpu_revision_list=$(awk '/CPU revision/ {print $4}' "$g_procfs/cpuinfo")
|
||||||
cpu_part_list=${cpu_part_list% }
|
|
||||||
cpu_arch_list=$(awk '/CPU architecture/ {print $3}' "$g_procfs/cpuinfo" | tr '\n' ' ')
|
|
||||||
cpu_arch_list=${cpu_arch_list% }
|
|
||||||
cpu_variant_list=$(awk '/CPU variant/ {print $4}' "$g_procfs/cpuinfo" | tr '\n' ' ')
|
|
||||||
cpu_variant_list=${cpu_variant_list% }
|
|
||||||
cpu_revision_list=$(awk '/CPU revision/ {print $4}' "$g_procfs/cpuinfo" | tr '\n' ' ')
|
|
||||||
cpu_revision_list=${cpu_revision_list% }
|
|
||||||
fi
|
fi
|
||||||
# Map first-seen implementer to cpu_vendor; note that heterogeneous systems
|
# Map first-seen implementer to cpu_vendor; note that heterogeneous systems
|
||||||
# (e.g. DynamIQ with ARM+Kryo cores) would all map to one vendor here, but
|
# (e.g. DynamIQ with ARM+Kryo cores) would all map to one vendor here, but
|
||||||
@@ -5058,12 +5051,6 @@ check_kernel_info() {
|
|||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
# Collapse a whitespace-separated list to its unique values, preserving first-seen order.
|
|
||||||
# Used to prettify the per-core ARM lists for display (e.g. "0x41 0x41 0x41 0x41" -> "0x41").
|
|
||||||
_uniq_list() {
|
|
||||||
echo "$1" | awk '{ for (i = 1; i <= NF; i++) if (!seen[$i]++) printf "%s%s", (n++ ? " " : ""), $i }'
|
|
||||||
}
|
|
||||||
|
|
||||||
# Display hardware-level CPU mitigation support (microcode features, ARCH_CAPABILITIES, etc.)
|
# Display hardware-level CPU mitigation support (microcode features, ARCH_CAPABILITIES, etc.)
|
||||||
check_cpu() {
|
check_cpu() {
|
||||||
local capabilities ret spec_ctrl_msr codename ucode_str
|
local capabilities ret spec_ctrl_msr codename ucode_str
|
||||||
@@ -5073,13 +5060,13 @@ check_cpu() {
|
|||||||
pr_info " * Vendor: $cpu_vendor"
|
pr_info " * Vendor: $cpu_vendor"
|
||||||
pr_info " * Model name: $cpu_friendly_name"
|
pr_info " * Model name: $cpu_friendly_name"
|
||||||
if [ -n "${cpu_impl_list:-}" ]; then
|
if [ -n "${cpu_impl_list:-}" ]; then
|
||||||
pr_info " * Implementer(s): $(_uniq_list "$cpu_impl_list")"
|
pr_info " * Implementer(s): $cpu_impl_list"
|
||||||
fi
|
fi
|
||||||
if [ -n "${cpu_part_list:-}" ]; then
|
if [ -n "${cpu_part_list:-}" ]; then
|
||||||
pr_info " * Part(s): $(_uniq_list "$cpu_part_list")"
|
pr_info " * Part(s): $cpu_part_list"
|
||||||
fi
|
fi
|
||||||
if [ -n "${cpu_arch_list:-}" ]; then
|
if [ -n "${cpu_arch_list:-}" ]; then
|
||||||
pr_info " * Architecture(s): $(_uniq_list "$cpu_arch_list")"
|
pr_info " * Architecture(s): $cpu_arch_list"
|
||||||
fi
|
fi
|
||||||
if has_runtime; then
|
if has_runtime; then
|
||||||
pr_info_nol " * Running as VM guest: "
|
pr_info_nol " * Running as VM guest: "
|
||||||
|
|||||||
Reference in New Issue
Block a user