Hi Marta, On 31 May 2024, at 14:01, Marta Rybczynska via lists.openembedded.org <[email protected]> wrote: > The "vex" class generates the minimum information that is necessary > by an external CVE checking tool. It is a drop-in replacement of "cve-check". > It uses the same variables from recipes. > > It generates the JSON output format only.
This appears to be a trimmed down version of the cve-check class which outputs the same JSON file, so what this is really missing is the greater context. For example, the comments still talk about the cve-check behaviour, not this new vex class’s behaviour. Understanding what this class is doing and how it’s meant to be used isn’t obvious. Correct me if I'm wrong, but this class writes a JSON file per recipe (in the same bespoke JSON format as cve-check) that contains _just_ the assertions in the recipe: that is any CVE_STATUS assignments and resolved statements from patches. It does not include all known issues, because that changes over time this is the responsibility of external tooling. This explanation should be in the comments. Is this bespoke JSON format still the best format to use, or should we adopt an existing format such as OpenVEX? There’s a chunk of code in cve_write_data_json() to write CVE metadata, that appears to be dead code that can be deleted. Also the vex_clean event is entirely dead code as the variables defining the files to clean are never assigned. Also I’m unconvinced that we need to write so many files. We end up with a file inside WORKDIR, LOG_DIR, and DEPLOY_DIR. Can we just reduce that down to DEPLOY_DIR? Ross
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#201031): https://lists.openembedded.org/g/openembedded-core/message/201031 Mute This Topic: https://lists.openembedded.org/mt/106407311/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
