feat: v0.19.0 — CVE watch: periodic vulnerability monitoring for installed deps

- CVE watch: lightweight background task checking OSV.dev for new CVEs
- Default interval: 6 hours (configurable)
- Tracks alerts across runs: only notifies on NEW vulnerabilities
- MQTT status: publishes cve_alert:{count}_new when new CVEs found
- API: GET /api/cve-alerts, POST /api/cve-watch (enable/disable)
- Settings: cve_watch_enabled, cve_watch_interval_hours

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: jrx-code

ha-sandbox/app/main.py

@@ -50,10 +50,12 @@ async def lifespan(app: FastAPI):
         publish_status("idle")
     except Exception as e:
         log.warning("MQTT init failed (non-fatal): %s", e)
-    # Start scheduled scans if enabled
+    # Start scheduled tasks if enabled
     cfg = app_settings.load()
     if cfg.get("schedule_enabled"):
         scheduler.start(cfg.get("schedule_interval_hours", 24))
+    if cfg.get("cve_watch_enabled"):
+        scheduler.start_cve_watch(cfg.get("cve_watch_interval_hours", 6))
     yield
     scheduler.stop()
     storage.close()
@@ -536,6 +538,39 @@ async def api_scheduler_update(request: Request):
     return JSONResponse(content={"ok": True, **scheduler.status()})
 
 
+# --- CVE Watch API ---
+
+@app.get("/api/cve-alerts")
+async def api_cve_alerts():
+    """Get current CVE alerts from the watch system."""
+    alerts = scheduler.get_cve_alerts()
+    return JSONResponse(content={
+        "alerts": alerts,
+        "total": sum(len(v) for v in alerts.values()),
+        "components_affected": len(alerts),
+    })
+
+
+@app.post("/api/cve-watch")
+async def api_cve_watch_update(request: Request):
+    """Enable/disable CVE watch.
+
+    Body: {"enabled": true/false, "interval_hours": 6}
+    """
+    data = await request.json()
+    enabled = data.get("enabled", False)
+    interval = float(data.get("interval_hours", 6))
+
+    app_settings.save({"cve_watch_enabled": enabled, "cve_watch_interval_hours": interval})
+
+    if enabled and interval > 0:
+        scheduler.start_cve_watch(interval)
+    else:
+        scheduler.stop()
+
+    return JSONResponse(content={"ok": True, **scheduler.status()})
+
+
 # --- Cross-Component Intelligence API (L.5) ---
 
 @app.get("/api/intelligence")

ha-sandbox/app/scheduler.py

@@ -1,4 +1,4 @@
-"""Scheduled periodic scans of installed HACS components."""
+"""Scheduled periodic scans and CVE watch for installed HACS components."""
 
 import asyncio
 import logging
@@ -7,8 +7,12 @@
 log = logging.getLogger(__name__)
 
 _task: asyncio.Task | None = None
+_cve_task: asyncio.Task | None = None
 _interval_hours: float = 0
+_cve_interval_hours: float = 6
 _enabled: bool = False
+_cve_enabled: bool = False
+_last_cve_alerts: dict[str, list[str]] = {}
 
 
 async def _scheduled_loop():
@@ -57,6 +61,70 @@ async def _scheduled_loop():
             publish_status("idle")
 
 
+async def _cve_watch_loop():
+    """Lightweight CVE-only check — queries OSV.dev for known deps without full scan."""
+    from app.scanner.hacs_list import fetch_installed_hacs, repo_to_url
+    from app.scanner.fetch import fetch_and_parse
+    from app.scanner.cve_lookup import check_cve, check_cve_repo
+    from app.report.mqtt import publish_status
+    from app.models import ScanJob
+
+    global _last_cve_alerts
+
+    while True:
+        await asyncio.sleep(_cve_interval_hours * 3600)
+        if not _cve_enabled:
+            continue
+
+        log.info("CVE watch check starting (interval=%gh)", _cve_interval_hours)
+
+        try:
+            installed = await fetch_installed_hacs()
+            if not installed:
+                continue
+
+            new_alerts: dict[str, list[str]] = {}
+            for comp in installed:
+                url = repo_to_url(comp.get("full_name", ""))
+                if not url:
+                    continue
+                name = comp.get("name", comp.get("full_name", ""))
+
+                try:
+                    job = ScanJob(id=f"cve:{name[:8]}", repo_url=url, name=name)
+                    repo_path = fetch_and_parse(job)
+
+                    findings = []
+                    if job.manifest and job.manifest.requirements:
+                        cve_findings = await check_cve(job.manifest)
+                        findings.extend(cve_findings)
+                    repo_cve = await check_cve_repo(repo_path)
+                    findings.extend(repo_cve)
+
+                    if findings:
+                        cve_ids = [f.description[:80] for f in findings]
+                        prev = _last_cve_alerts.get(name, [])
+                        new_cves = [c for c in cve_ids if c not in prev]
+                        if new_cves:
+                            new_alerts[name] = new_cves
+                            log.warning("CVE watch: %s has %d new vulnerabilities", name, len(new_cves))
+                        _last_cve_alerts[name] = cve_ids
+
+                except Exception as e:
+                    log.warning("CVE watch failed for %s: %s", name, e)
+
+            if new_alerts:
+                total = sum(len(v) for v in new_alerts.values())
+                publish_status(f"cve_alert:{total}_new")
+                log.warning("CVE watch: %d new vulnerabilities across %d components",
+                            total, len(new_alerts))
+            else:
+                log.info("CVE watch: no new vulnerabilities found")
+
+        except Exception as e:
+            log.exception("CVE watch loop error: %s", e)
+
+
 def start(interval_hours: float = 24):
     """Start the scheduled scan loop."""
     global _task, _interval_hours, _enabled
@@ -75,14 +143,36 @@ def start(interval_hours: float = 24):
     log.info("Scheduled scans enabled: every %gh", interval_hours)
 
 
+def start_cve_watch(interval_hours: float = 6):
+    """Start the CVE watch loop (lightweight, CVE-only checks)."""
+    global _cve_task, _cve_interval_hours, _cve_enabled
+    if interval_hours <= 0:
+        log.info("CVE watch disabled (interval=0)")
+        return
+
+    _cve_interval_hours = interval_hours
+    _cve_enabled = True
+
+    if _cve_task and not _cve_task.done():
+        log.info("CVE watch already running, updating interval to %gh", interval_hours)
+        return
+
+    _cve_task = asyncio.create_task(_cve_watch_loop())
+    log.info("CVE watch enabled: every %gh", interval_hours)
+
+
 def stop():
-    """Stop the scheduled scan loop."""
-    global _task, _enabled
+    """Stop all scheduled tasks."""
+    global _task, _cve_task, _enabled, _cve_enabled
     _enabled = False
+    _cve_enabled = False
     if _task and not _task.done():
         _task.cancel()
         _task = None
-    log.info("Scheduled scans disabled")
+    if _cve_task and not _cve_task.done():
+        _cve_task.cancel()
+        _cve_task = None
+    log.info("All scheduled tasks disabled")
 
 
 def status() -> dict:
@@ -91,4 +181,15 @@ def status() -> dict:
         "enabled": _enabled,
         "interval_hours": _interval_hours,
         "running": _task is not None and not _task.done() if _task else False,
+        "cve_watch": {
+            "enabled": _cve_enabled,
+            "interval_hours": _cve_interval_hours,
+            "running": _cve_task is not None and not _cve_task.done() if _cve_task else False,
+            "active_alerts": len(_last_cve_alerts),
+        },
     }
+
+
+def get_cve_alerts() -> dict[str, list[str]]:
+    """Return current CVE alerts from last watch run."""
+    return _last_cve_alerts

ha-sandbox/app/settings.py

@@ -32,6 +32,8 @@
     "log_level": "info",
     "schedule_enabled": False,
     "schedule_interval_hours": 24,
+    "cve_watch_enabled": False,
+    "cve_watch_interval_hours": 6,
 }
 
 # Public API provider presets

ha-sandbox/config.yaml

@@ -1,5 +1,5 @@
 name: "HA Security Sandbox"
-version: "0.18.0"
+version: "0.19.0"
 slug: ha_security_sandbox
 description: "Security scanner for Home Assistant custom components — static analysis + AI review"
 url: "https://github.com/jrx-code/ha-security-sandbox"