From: Tim Orling <ticotimo@gmail.com>
Date: Fri, 20 Mar 2026 16:43:52 +0000 (-0700)
Subject: vex: rename rootfs CVE manifest JSON to include .vex. suffix
X-Git-Tag: yocto-6.0_M3~213
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=de3f35114653092cb2096abde8cbf0cc477dd4ac;p=thirdparty%2Fopenembedded%2Fopenembedded-core.git

vex: rename rootfs CVE manifest JSON to include .vex. suffix

Rename the rootfs CVE manifest output file and its deploy
directory symlink from ${IMAGE_NAME}.json to
${IMAGE_NAME}.vex.json, and from ${IMAGE_LINK_NAME}.json
to ${IMAGE_LINK_NAME}.vex.json.

This avoids ambiguity in the image deploy directory where
other rootfs JSON files exist (e.g. SPDX/SBOM output), making
the VEX origin and purpose explicit in the filename.

Signed-off-by: Tim Orling <tim.orling@konsulko.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
---

diff --git a/meta/classes/vex.bbclass b/meta/classes/vex.bbclass
index 402d8e0d96..c57b8209c2 100644
--- a/meta/classes/vex.bbclass
+++ b/meta/classes/vex.bbclass
@@ -33,7 +33,7 @@ CVE_CHECK_SUMMARY_INDEX_PATH = "${CVE_CHECK_SUMMARY_DIR}/cve-summary-index.txt"
 
 CVE_CHECK_DIR ??= "${DEPLOY_DIR}/cve"
 CVE_CHECK_RECIPE_FILE_JSON ?= "${CVE_CHECK_DIR}/${PN}_cve.json"
-CVE_CHECK_MANIFEST_JSON ?= "${IMGDEPLOYDIR}/${IMAGE_NAME}.json"
+CVE_CHECK_MANIFEST_JSON ?= "${IMGDEPLOYDIR}/${IMAGE_NAME}.vex.json"
 
 # Skip CVE Check for packages (PN)
 CVE_CHECK_SKIP_RECIPE ?= ""
@@ -201,7 +201,7 @@ python vex_write_rootfs_manifest () {
 
     d.setVar("PN", save_pn)
 
-    link_path = os.path.join(deploy_dir, "%s.json" % link_name)
+    link_path = os.path.join(deploy_dir, "%s.vex.json" % link_name)
     manifest_name = d.getVar("CVE_CHECK_MANIFEST_JSON")
 
     with open(manifest_name, "w") as f: