init: daily vulnerability watch automation

scripts used by the cron vuln-watch workflow
from the master branch.

scripts/vuln_watch/sources.py

@@ -0,0 +1,59 @@
+"""Declarative list of sources polled by the daily vuln scan."""
+from dataclasses import dataclass
+from typing import Literal
+
+Kind = Literal["rss", "atom", "html"]
+
+
+@dataclass(frozen=True)
+class Source:
+    name: str
+    url: str
+    kind: Kind
+    # For HTML sources: regexes used to extract advisory IDs from the page.
+    advisory_id_patterns: tuple[str, ...] = ()
+    # Human-facing URL to use as permalink fallback when `url` points at a
+    # non-browsable endpoint (e.g. a JS data file). Empty = use `url`.
+    display_url: str = ""
+    # Per-source UA override. AMD's CDN drops connections when the UA string
+    # contains a parenthesized URL, while Intel/ARM's WAF rejects UAs that
+    # don't identify themselves — so we can't use one UA everywhere.
+    # Empty = use the module-level USER_AGENT.
+    user_agent: str = ""
+
+
+SOURCES: tuple[Source, ...] = (
+    Source("phoronix",       "https://www.phoronix.com/rss.php", "rss"),
+    Source("oss-sec",        "https://seclists.org/rss/oss-sec.rss", "rss"),
+    Source("lwn",            "https://lwn.net/headlines/newrss", "rss"),
+    Source("project-zero",   "https://googleprojectzero.blogspot.com/feeds/posts/default", "atom"),
+    Source("vusec",          "https://www.vusec.net/feed/", "rss"),
+    Source("comsec-eth",     "https://comsec.ethz.ch/category/news/feed/", "rss"),
+    # api.msrc.microsoft.com/update-guide/rss is the real RSS endpoint; the
+    # msrc.microsoft.com/... URL returns the SPA shell (2.7 KB) instead.
+    Source("msrc",           "https://api.msrc.microsoft.com/update-guide/rss", "rss"),
+    Source("cisa",           "https://www.cisa.gov/cybersecurity-advisories/all.xml", "rss"),
+    Source("cert-cc",        "https://www.kb.cert.org/vuls/atomfeed/", "atom"),
+    Source("intel-psirt",    "https://www.intel.com/content/www/us/en/security-center/default.html", "html",
+           (r"INTEL-SA-\d+",)),
+    Source("amd-psirt",      "https://www.amd.com/en/resources/product-security.html", "html",
+           (r"AMD-SB-\d+",),
+           user_agent="spectre-meltdown-checker/vuln-watch"),
+    Source("arm-spec",       "https://developer.arm.com/Arm%20Security%20Center/Speculative%20Processor%20Vulnerability", "html",
+           (r"CVE-\d{4}-\d{4,7}",)),
+    # transient.fail renders its attack table from tree.js client-side; we
+    # pull the JS file directly (CVE regex works on its JSON-ish body).
+    Source("transient-fail", "https://transient.fail/tree.js", "html",
+           (r"CVE-\d{4}-\d{4,7}",),
+           display_url="https://transient.fail/"),
+)
+
+# Identify ourselves honestly. Akamai/Cloudflare WAFs fronting intel.com,
+# developer.arm.com, and cisa.gov return 403 when the UA claims "Mozilla"
+# but TLS/HTTP fingerprint doesn't match a real browser — an honest bot UA
+# passes those rules cleanly.
+USER_AGENT = (
+    "spectre-meltdown-checker/vuln-watch "
+    "(+https://github.com/speed47/spectre-meltdown-checker)"
+)
+REQUEST_TIMEOUT = 30