[PATCH 0/1] vex: rename rootfs CVE manifest JSON to include .vex. suffix

[Tim Orling <ticotimo@gmail.com>]

We have other *.rootfs.*.json files, such as .rootfs.spdx.json and
rootfs.testdata.json, so let us remove any ambiquity about the source and
purpose of this file generated by vex.bbclass.

The only other file that defines CVE_CHECK_MANIFEST_JSON is
meta/classes/cve-check.bbclass (line 54). It uses the same ?=
weak assignment with a suffix mechanism:

CVE_CHECK_MANIFEST_JSON_SUFFIX ?= "json"
CVE_CHECK_MANIFEST_JSON ?= "${IMGDEPLOYDIR}/${IMAGE_NAME}.${CVE_CHECK_MANIFEST_JSON_SUFFIX}"

When both cve-check and vex are inherited, vex.bbclass's ?= will win or
lose depending on parse order. Since vex.bbclass is intentionally designed
to supersede cve-check behavior (line 76 in vex.bbclass even checks
inherits_class("cve-check", d)), this is likely fine by design — but it's
worth noting that cve-check.bbclass's suffix mechanism is effectively
bypassed when vex is active.

No tests or documentation currently reference the old .json filename
pattern, so there are no other files needing updates. The main practical
impact is on any external automation or scripts (outside of oe-core repo) that
were consuming ${IMAGE_LINK_NAME}.json as the VEX output — those would need
to be updated to look for ${IMAGE_LINK_NAME}.vex.json instead.

The documentation for sbom-cve-check tool would need an update:
https://sbom-cve-check.readthedocs.io/en/latest/user-guide.html#examples-of-invocation

Tim Orling (1):
  vex: rename rootfs CVE manifest JSON to include .vex. suffix

 meta/classes/vex.bbclass | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

-- 
2.50.1 (Apple Git-155)