[PATCH 0/1] vex: rename rootfs CVE manifest JSON to include .vex. suffix

[PATCH 0/1] vex: rename rootfs CVE manifest JSON to include .vex. suffix

[Tim Orling]

We have other *.rootfs.*.json files, such as .rootfs.spdx.json and
rootfs.testdata.json, so let us remove any ambiquity about the source and
purpose of this file generated by vex.bbclass.

The only other file that defines CVE_CHECK_MANIFEST_JSON is
meta/classes/cve-check.bbclass (line 54). It uses the same ?=
weak assignment with a suffix mechanism:

CVE_CHECK_MANIFEST_JSON_SUFFIX ?= "json"
CVE_CHECK_MANIFEST_JSON ?= "${IMGDEPLOYDIR}/${IMAGE_NAME}.${CVE_CHECK_MANIFEST_JSON_SUFFIX}"

When both cve-check and vex are inherited, vex.bbclass's ?= will win or
lose depending on parse order. Since vex.bbclass is intentionally designed
to supersede cve-check behavior (line 76 in vex.bbclass even checks
inherits_class("cve-check", d)), this is likely fine by design — but it's
worth noting that cve-check.bbclass's suffix mechanism is effectively
bypassed when vex is active.

No tests or documentation currently reference the old .json filename
pattern, so there are no other files needing updates. The main practical
impact is on any external automation or scripts (outside of oe-core repo) that
were consuming ${IMAGE_LINK_NAME}.json as the VEX output — those would need
to be updated to look for ${IMAGE_LINK_NAME}.vex.json instead.

The documentation for sbom-cve-check tool would need an update:
https://sbom-cve-check.readthedocs.io/en/latest/user-guide.html#examples-of-invocation

Tim Orling (1):
  vex: rename rootfs CVE manifest JSON to include .vex. suffix

 meta/classes/vex.bbclass | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

-- 
2.50.1 (Apple Git-155)

[PATCH 1/1] vex: rename rootfs CVE manifest JSON to include .vex. suffix

[Tim Orling]

Rename the rootfs CVE manifest output file and its deploy
directory symlink from ${IMAGE_NAME}.json to
${IMAGE_NAME}.vex.json, and from ${IMAGE_LINK_NAME}.json
to ${IMAGE_LINK_NAME}.vex.json.

This avoids ambiguity in the image deploy directory where
other rootfs JSON files exist (e.g. SPDX/SBOM output), making
the VEX origin and purpose explicit in the filename.

Signed-off-by: Tim Orling <tim.orling@konsulko.com>
---
 meta/classes/vex.bbclass | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/meta/classes/vex.bbclass b/meta/classes/vex.bbclass
index 402d8e0d964..c57b8209c23 100644
--- a/meta/classes/vex.bbclass
+++ b/meta/classes/vex.bbclass
@@ -33,7 +33,7 @@ CVE_CHECK_SUMMARY_INDEX_PATH = "${CVE_CHECK_SUMMARY_DIR}/cve-summary-index.txt"
 
 CVE_CHECK_DIR ??= "${DEPLOY_DIR}/cve"
 CVE_CHECK_RECIPE_FILE_JSON ?= "${CVE_CHECK_DIR}/${PN}_cve.json"
-CVE_CHECK_MANIFEST_JSON ?= "${IMGDEPLOYDIR}/${IMAGE_NAME}.json"
+CVE_CHECK_MANIFEST_JSON ?= "${IMGDEPLOYDIR}/${IMAGE_NAME}.vex.json"
 
 # Skip CVE Check for packages (PN)
 CVE_CHECK_SKIP_RECIPE ?= ""
@@ -201,7 +201,7 @@ python vex_write_rootfs_manifest () {
 
     d.setVar("PN", save_pn)
 
-    link_path = os.path.join(deploy_dir, "%s.json" % link_name)
+    link_path = os.path.join(deploy_dir, "%s.vex.json" % link_name)
     manifest_name = d.getVar("CVE_CHECK_MANIFEST_JSON")
 
     with open(manifest_name, "w") as f:
-- 
2.50.1 (Apple Git-155)