fix(plugins): harden fragile version regexes and slicing (#1070)

markuslf · markuslf · commit 0ce9343c0521 · 2026-04-12T21:19:41.000+02:00
Three plugins parsed version strings in ways that either had a real
bug or only worked by accident:

- axenita-stats: the slice `axenita_ver[8 : 8 + axenita_ver.find('-') - 1]`
  was designed for the fixed `release-14.0.8-...` format and happened to
  extract "14.0.8" when the patch was a single digit. For any longer
  patch (e.g. `14.0.12`) the slice silently truncated the trailing
  digit, and for 2-digit majors it would slide out of bounds. Replace
  with a simple `split('-')[1]` and document why the dots are stripped
  (perfdata wants a numeric value).
- keycloak-version: the regex `r'n (.*)'` happened to match the "n " in
  the word "Version" of `/opt/keycloak/version.txt` (contents:
  `Keycloak - Version 25.0.4`) and capture the version tail. Replace
  with an explicit `r'[Vv]ersion\s+(\d+(?:\.\d+)*)'`. Also fall through
  to the API fallback when the file is present but does not match,
  instead of aborting with "Keycloak not found".
- openvpn-version: the regex `r'N (\d+\.\d+\.\d+)'` matched the "N" at
  the end of "OpenVPN" plus the following space. Anchor the match on
  "OpenVPN" explicitly.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -27,6 +27,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 * wildfly-memory-usage: same `state += get_worst(...)` accumulation bug in both the heap and non-heap branches. Replaced with the new variadic `lib.base.get_worst(state, used_state, committed_state)` so the heap/non-heap used/committed states can be combined in a single call ([#1070](https://github.com/Linuxfabrik/monitoring-plugins/issues/1070))
 * wildfly-non-xa-datasource-stats, wildfly-xa-datasource-stats: the "max used" threshold check passed `active_pct` to `lib.base.get_state(...)` instead of `max_used_pct`, so the plugin alerted on the wrong metric. The output text already showed `max_used_pct` correctly ([#1070](https://github.com/Linuxfabrik/monitoring-plugins/issues/1070))
 * xml: actually use the captured `result = r[0].text` in the string-search branch. Before, `result` was assigned but unused and the branch re-evaluated `r[0].text` three more times ([#1070](https://github.com/Linuxfabrik/monitoring-plugins/issues/1070))
+* axenita-stats: fix the version-number extraction slice `[8 : 8 + find('-') - 1]` that only worked for exactly 6-character versions like `14.0.8` and silently truncated any longer patch number. Use `split('-')[1]` instead, which handles `14.0.12`, `1.2.3`, and 2-digit majors correctly ([#1070](https://github.com/Linuxfabrik/monitoring-plugins/issues/1070))
+* keycloak-version: replace the fragile regex `r'n (.*)'` (which relied on the "n " in the word "Version" of `/opt/keycloak/version.txt`) with an explicit `r'[Vv]ersion\s+(\d+(?:\.\d+)*)'` pattern. Also fall through to the API fallback when the file is present but the regex does not match, instead of aborting with "Keycloak not found" ([#1070](https://github.com/Linuxfabrik/monitoring-plugins/issues/1070))
+* openvpn-version: replace the fragile regex `r'N (\d+\.\d+\.\d+)'` (which relied on the "N" at the end of "OpenVPN") with an explicit `r'OpenVPN\s+(\d+\.\d+\.\d+)'` pattern anchored on the command name ([#1070](https://github.com/Linuxfabrik/monitoring-plugins/issues/1070))
 
 ### Security
 
diff --git a/check-plugins/axenita-stats/axenita-stats b/check-plugins/axenita-stats/axenita-stats
@@ -21,7 +21,7 @@ import lib.url
 from lib.globals import STATE_OK, STATE_UNKNOWN, STATE_WARN
 
 __author__ = 'Linuxfabrik GmbH, Zurich/Switzerland'
-__version__ = '2026040801'
+__version__ = '2026041201'
 
 DESCRIPTION = """Monitors the health and performance of an Axenita/Achilles installation by querying
 four API endpoints: ReadModel state, active user sessions, build information, and
@@ -268,7 +268,16 @@ def main():
             lib.base.oao(msg, state, perfdata, always_ok=args.ALWAYS_OK)
         axenita_ver = achilles_buildinfo['data']['version']
         msg += f'{axenita_ver} (timestamp {achilles_buildinfo["data"]["timestamp"]}), '
-        axenita_ver = axenita_ver[8 : 8 + axenita_ver.find('-') - 1].replace('.', '')
+        # the version field looks like "release-14.0.8-20210312134147-cf77b213090";
+        # take the second hyphen-separated segment (the dotted version) and collapse
+        # the dots to get a numeric perfdata value. the previous slice
+        # `[8 : 8 + find('-') - 1]` happened to work only for exactly-6-char
+        # versions like "14.0.8" and silently truncated multi-digit patches.
+        version_parts = axenita_ver.split('-')
+        if len(version_parts) >= 2:
+            axenita_ver = version_parts[1].replace('.', '')
+        else:
+            axenita_ver = ''
         perfdata += lib.base.get_perfdata(
             'axenita-version',
             axenita_ver,
diff --git a/check-plugins/keycloak-version/keycloak-version b/check-plugins/keycloak-version/keycloak-version
@@ -22,7 +22,7 @@ import lib.version
 from lib.globals import STATE_UNKNOWN
 
 __author__ = 'Linuxfabrik GmbH, Zurich/Switzerland'
-__version__ = '2026040801'
+__version__ = '2026041201'
 
 DESCRIPTION = """Checks the installed Keycloak version against the endoflife.date API and alerts if the
 version is end-of-life or if newer major, minor, or patch releases are available. By
@@ -169,8 +169,14 @@ def get_installed_version(args):
     """Fetch the Keycloak version. First, try to access the file system,
     then try to fetch the API.
     """
-    success, version = lib.disk.grep_file(args.PATH + '/version.txt', r'n (.*)')
-    if success:
+    # /opt/keycloak/version.txt contains a line like "Keycloak - Version 25.0.4".
+    # The old regex `r'n (.*)'` happened to match the "n " in "Version" and
+    # capture the rest of the line, but would silently break on any format
+    # change. Match the version number explicitly instead.
+    success, version = lib.disk.grep_file(
+        args.PATH + '/version.txt', r'[Vv]ersion\s+(\d+(?:\.\d+)*)'
+    )
+    if success and version:
         return version
 
     # Discover the OIDC endpoints for the realm (no authentication needed),
diff --git a/check-plugins/openvpn-version/openvpn-version b/check-plugins/openvpn-version/openvpn-version
@@ -21,7 +21,7 @@ import lib.version
 from lib.globals import STATE_UNKNOWN
 
 __author__ = 'Linuxfabrik GmbH, Zurich/Switzerland'
-__version__ = '2025100601'
+__version__ = '2026041201'
 
 DESCRIPTION = """Checks the installed OpenVPN version against the endoflife.date API and alerts if the
 version is end-of-life or if newer major, minor, or patch releases are available. By
@@ -132,12 +132,13 @@ def get_installed_version(path):
     # OpenVPN 2.4.12 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Nov 10 2023
     # OpenVPN 2.5.11 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jul 18 2024
     # OpenVPN 2.6.13 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO]
-    version_regex = r'N (\d+\.\d+\.\d+)'
-    try:
-        stdout = re.search(version_regex, stdout)
-        return stdout.group(1).strip()
-    except Exception:
+    # The old regex `r'N (\d+\.\d+\.\d+)'` happened to match the "N" in
+    # "OpenVPN" and capture the version, but would silently break on any
+    # format change. Anchor on "OpenVPN" explicitly instead.
+    match = re.search(r'OpenVPN\s+(\d+\.\d+\.\d+)', stdout)
+    if not match:
         return ''
+    return match.group(1).strip()
 
 
 def main():
