From patchwork Fri Mar 20 16:43:51 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Tim Orling X-Patchwork-Id: 2355 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 54E0610987B1 for ; Fri, 20 Mar 2026 16:44:05 +0000 (UTC) Received: from mail-pf1-f172.google.com (mail-pf1-f172.google.com [209.85.210.172]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.17644.1774025042246714446 for ; Fri, 20 Mar 2026 09:44:02 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=YLPOW9pY; spf=pass (domain: gmail.com, ip: 209.85.210.172, mailfrom: ticotimo@gmail.com) Received: by mail-pf1-f172.google.com with SMTP id d2e1a72fcca58-82748257f5fso2247450b3a.1 for ; Fri, 20 Mar 2026 09:44:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1774025041; x=1774629841; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=1owLjHKmS+mz9p3AcFB54rTufYMfK9rBXE5sA3dDvy8=; b=YLPOW9pYVIZVILBsYA87rdX4hKvT4Jutfx9cAQ7d4YDo9GAEcS/k8NZsd769Orz6KB GnjP0+M/jwJIS08tFfz0ywMmWVZVsm9a0X+Eg6YqCUsLMzusP7yku4nd4rRLTkAL4mDo UsZD7zbMQx7a6/f2PdcXMdE2iNNY605l6aubzlusLG8lesPNbdUIdtKn/DnKCUUHQrdG FWvAhHTR623tA4men9/FIfnoEsKEcwQjK+dF9zavorS4DoUmWRNGqhZen1D47h0tf2ke R2iOIb8COP+dI4XWU6XZtdCB4ItT7iSciYe/pv4Or6nyIs6U6RCLZ9Bxna9V+2t8tadf jozg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1774025041; x=1774629841; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=1owLjHKmS+mz9p3AcFB54rTufYMfK9rBXE5sA3dDvy8=; b=WYIO0Lv/b5JNVfwBfOwCsCgK0NWiRPa/dwWt/cTOrnLIyheX9rh6EzisC9gzYTk2eM Slg4XdZDBIYa0z+8fmuBW5gTygGqkVCACCxhvaS65JIvBoqVAkpJIYwk9m2kAx1UH3z3 Ss2vSvZMfbApDYePlXoslAbmGTIS/aA40OIUEM/LHO7Qmy4uSZFskaL28Lz2VLDgclIS YdlI5w4P4ZklutdWFOoe5t2KxHmNyRTVs75tU2Tdyzi6psMV11Mt4uhXc4n8GeOaf+D6 IAw3/87yA5BNV8n161B3PZm5rzBCz2YAdFA09fhNhGvggUdX7+qfhQlKHN966aS1D6MR 5Z/g== X-Gm-Message-State: AOJu0YyAyjSty2aUrNfgWkUZ/ETxJ8DkUBW6DS5SEuDMCj3nZgEB6aBc 6yapJ12Dc582Xj/jkq/qPRv0ij49D4yztA5Sl8lJjOSVGL1ObdvlYqYUmt8t3A== X-Gm-Gg: ATEYQzzcP1p3KSy4UYAxf4sG4JRlUlDHvSB/gpgXGR5Ro5oeX5P6cTYg6dsHyuncVE+ vrgH+TEZrQBTTSu4qFNTcU+3Lrj3Yfxm8/4jZ0k/Gh1KKwG9Eakc5Ozx6OfZtI0CabvCCprLTdn I4BRFwNpe8WezcTHTo3m2KHmWr1b0bWrQ7mR9AFDgRt9NX5TVbQBZk+Ky1SNRWdao/WPTK217ZZ G7JzZ/1iPdZmMSdBg/gAg+lajWiirpBY5+MVIG0vrmu1f6VCMdTZLyznyMSd4eBx/F0q1oxJ3Fq my68m+nZh1xwMwTwCfmBBtV/MCwU1q29Jb6Gfr405BGKNeyMz3z4ombGwhkSCOPsZK1hT51uQ9s Ak6wmWQcWivrqPB1biom7H6ROtD/fOmqxI/tbZg3whpwyc41xQudeFFCHKxUUGe56oZSMlphX2m O+eCPEphn0DgnvIxtmRqESgyNVuEbj14wXwFXN4qXB3Y/Q8o5H8EBuXlGVNRMegHzm+Hq0U3nY8 dj3dXuzfikzqvsKMntIQg== X-Received: by 2002:a05:6a00:bb8d:b0:827:2dff:7116 with SMTP id d2e1a72fcca58-82a8c2ddc09mr2730644b3a.13.1774025040969; Fri, 20 Mar 2026 09:44:00 -0700 (PDT) Received: from localhost.localdomain (c-98-232-159-17.hsd1.or.comcast.net. [98.232.159.17]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-82b0409f409sm2402379b3a.31.2026.03.20.09.44.00 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256); Fri, 20 Mar 2026 09:44:00 -0700 (PDT) From: Tim Orling X-Google-Original-From: Tim Orling To: openembedded-core@lists.openembedded.org Cc: marta.rybczynska@syslinbit.com Subject: [PATCH 0/1] vex: rename rootfs CVE manifest JSON to include .vex. suffix Date: Fri, 20 Mar 2026 09:43:51 -0700 Message-ID: X-Mailer: git-send-email 2.50.1 MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 20 Mar 2026 16:44:05 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/233618 We have other *.rootfs.*.json files, such as .rootfs.spdx.json and rootfs.testdata.json, so let us remove any ambiquity about the source and purpose of this file generated by vex.bbclass. The only other file that defines CVE_CHECK_MANIFEST_JSON is meta/classes/cve-check.bbclass (line 54). It uses the same ?= weak assignment with a suffix mechanism: CVE_CHECK_MANIFEST_JSON_SUFFIX ?= "json" CVE_CHECK_MANIFEST_JSON ?= "${IMGDEPLOYDIR}/${IMAGE_NAME}.${CVE_CHECK_MANIFEST_JSON_SUFFIX}" When both cve-check and vex are inherited, vex.bbclass's ?= will win or lose depending on parse order. Since vex.bbclass is intentionally designed to supersede cve-check behavior (line 76 in vex.bbclass even checks inherits_class("cve-check", d)), this is likely fine by design — but it's worth noting that cve-check.bbclass's suffix mechanism is effectively bypassed when vex is active. No tests or documentation currently reference the old .json filename pattern, so there are no other files needing updates. The main practical impact is on any external automation or scripts (outside of oe-core repo) that were consuming ${IMAGE_LINK_NAME}.json as the VEX output — those would need to be updated to look for ${IMAGE_LINK_NAME}.vex.json instead. The documentation for sbom-cve-check tool would need an update: https://sbom-cve-check.readthedocs.io/en/latest/user-guide.html#examples-of-invocation Tim Orling (1): vex: rename rootfs CVE manifest JSON to include .vex. suffix meta/classes/vex.bbclass | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)