Hi, The kernel scripts to check CVEs uses the vex output as input. https://git.openembedded.org/openembedded-core/tree/scripts/contrib/improve_kernel_cve_report.py
Daniel From: [email protected] <[email protected]> On Behalf Of Marta Rybczynska via lists.openembedded.org Sent: Tuesday, 31 March 2026 16:43 To: [email protected] Cc: [email protected] Subject: Re: [OE-core] [PATCH 1/3] classes/vex: remove On Tue, Mar 31, 2026 at 3:24 PM Ross Burton via lists.openembedded.org<http://lists.openembedded.org/> <[email protected]<mailto:[email protected]>> wrote: This class existed as a provider of information for external CVE tooling, and uses a non-standard format that is OpenEmbedded-specific[1]. However, the SPDX 3 output can contain all of this needed information, in a format that is standardised. I'm unaware of any active users of this class beyond sbom-cve-check, which can also read the data from the SPDX if SPDX_INCLUDE_VEX has been set. So that we don't have to maintain this class for the lifetime of the Wrynose LTS, delete it. [1] oe-core 6352ad93a72 ("vex.bbclass: add a new class") For the record, I do not agree with this removal. SPDX3 has still not reached mature usage outside of the LF ecosystem. Kind regards, Marta
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#234345): https://lists.openembedded.org/g/openembedded-core/message/234345 Mute This Topic: https://lists.openembedded.org/mt/118596049/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
