22 files changed, 1102 insertions, 1289 deletions
diff --git a/meta/classes/archiver.bbclass b/meta/classes/archiver.bbclass
index 2d0bbfbd42..a95c899a0f 100644
--- a/meta/classes/archiver.bbclass
+++ b/meta/classes/archiver.bbclass
@@ -166,6 +166,7 @@ python () {
            d.appendVarFlag('do_package_write_rpm', 'dirs', ' ${ARCHIVER_RPMTOPDIR}')
            d.appendVarFlag('do_package_write_rpm', 'sstate-inputdirs', ' ${ARCHIVER_RPMTOPDIR}')
            d.appendVarFlag('do_package_write_rpm', 'sstate-outputdirs', ' ${DEPLOY_DIR_SRC}')
+            d.appendVar('PSEUDO_INCLUDE_PATHS', ',${ARCHIVER_TOPDIR}')
            if ar_dumpdata == "1":
                d.appendVarFlag('do_package_write_rpm', 'depends', ' %s:do_dumpdata' % pn)
            if ar_recipe == "1":
@@ -339,7 +340,7 @@ python do_ar_mirror() {
    dl_dir = d.getVar('DL_DIR')
    mirror_exclusions = (d.getVar('ARCHIVER_MIRROR_EXCLUDE') or '').split()
    mirror_mode = d.getVarFlag('ARCHIVER_MODE', 'mirror')
-    have_mirror_tarballs = d.getVar('BB_GENERATE_MIRROR_TARBALLS')
+    have_mirror_tarballs = oe.types.boolean(d.getVar('BB_GENERATE_MIRROR_TARBALLS'))
    if mirror_mode == 'combined':
        destdir = d.getVar('ARCHIVER_COMBINED_MIRRORDIR')
@@ -473,7 +474,8 @@ def create_diff_gz(d, src_orig, src, ar_outdir):
 def is_work_shared(d):
    sharedworkdir = os.path.join(d.getVar('TMPDIR'), 'work-shared')
-    return d.getVar('S').startswith(sharedworkdir)
+    sourcedir = os.path.realpath(d.getVar('S'))
+    return sourcedir.startswith(sharedworkdir)
 # Run do_unpack and do_patch
 python do_unpack_and_patch() {
diff --git a/meta/classes/buildhistory.bbclass b/meta/classes/buildhistory.bbclass
index fd53e92402..4a380c10c6 100644
--- a/meta/classes/buildhistory.bbclass
+++ b/meta/classes/buildhistory.bbclass
@@ -16,28 +16,6 @@ BUILDHISTORY_DIR ?= "${TOPDIR}/buildhistory"
 BUILDHISTORY_DIR_IMAGE = "${BUILDHISTORY_DIR}/images/${MACHINE_ARCH}/${TCLIBC}/${IMAGE_BASENAME}"
 BUILDHISTORY_DIR_PACKAGE = "${BUILDHISTORY_DIR}/packages/${MULTIMACH_TARGET_SYS}/${PN}"
-# Setting this to non-empty will remove the old content of the buildhistory as part of
-# the current bitbake invocation and replace it with information about what was built
-# during the build.
-#
-# This is meant to be used in continuous integration (CI) systems when invoking bitbake
-# for full world builds. The effect in that case is that information about packages
-# that no longer get build also gets removed from the buildhistory, which is not
-# the case otherwise.
-#
-# The advantage over manually cleaning the buildhistory outside of bitbake is that
-# the "version-going-backwards" check still works. When relying on that, be careful
-# about failed world builds: they will lead to incomplete information in the
-# buildhistory because information about packages that could not be built will
-# also get removed. A CI system should handle that by discarding the buildhistory
-# of failed builds.
-#
-# The expected usage is via auto.conf, but passing via the command line also works
-# with: BB_ENV_PASSTHROUGH_ADDITIONS=BUILDHISTORY_RESET BUILDHISTORY_RESET=1
-BUILDHISTORY_RESET ?= ""
-BUILDHISTORY_OLD_DIR = "${BUILDHISTORY_DIR}/${@ "old" if "${BUILDHISTORY_RESET}" else ""}"
-BUILDHISTORY_OLD_DIR_PACKAGE = "${BUILDHISTORY_OLD_DIR}/packages/${MULTIMACH_TARGET_SYS}/${PN}"
 BUILDHISTORY_DIR_SDK = "${BUILDHISTORY_DIR}/sdk/${SDK_NAME}${SDK_EXT}/${IMAGE_BASENAME}"
 BUILDHISTORY_IMAGE_FILES ?= "/etc/passwd /etc/group"
 BUILDHISTORY_SDK_FILES ?= "conf/local.conf conf/bblayers.conf conf/auto.conf conf/locked-sigs.inc conf/devtool.conf"
@@ -47,25 +25,33 @@ BUILDHISTORY_PUSH_REPO ?= ""
 BUILDHISTORY_TAG ?= "build"
 BUILDHISTORY_PATH_PREFIX_STRIP ?= ""
-SSTATEPOSTINSTFUNCS:append = " buildhistory_emit_pkghistory"
+# We want to avoid influencing the signatures of the task so use vardepsexclude
-# We want to avoid influencing the signatures of sstate tasks - first the function itself:
+do_populate_sysroot[postfuncs] += "buildhistory_emit_sysroot"
-sstate_install[vardepsexclude] += "buildhistory_emit_pkghistory"
+do_populate_sysroot_setscene[postfuncs] += "buildhistory_emit_sysroot"
-# then the value added to SSTATEPOSTINSTFUNCS:
+do_populate_sysroot[vardepsexclude] += "buildhistory_emit_sysroot"
-SSTATEPOSTINSTFUNCS[vardepvalueexclude] .= "| buildhistory_emit_pkghistory"
+do_package[postfuncs] += "buildhistory_list_pkg_files"
+do_package_setscene[postfuncs] += "buildhistory_list_pkg_files"
+do_package[vardepsexclude] += "buildhistory_list_pkg_files"
+do_packagedata[postfuncs] += "buildhistory_emit_pkghistory"
+do_packagedata_setscene[postfuncs] += "buildhistory_emit_pkghistory"
+do_packagedata[vardepsexclude] += "buildhistory_emit_pkghistory"
 # Similarly for our function that gets the output signatures
 SSTATEPOSTUNPACKFUNCS:append = " buildhistory_emit_outputsigs"
 sstate_installpkgdir[vardepsexclude] += "buildhistory_emit_outputsigs"
 SSTATEPOSTUNPACKFUNCS[vardepvalueexclude] .= "| buildhistory_emit_outputsigs"
-# All items excepts those listed here will be removed from a recipe's
+# All items except those listed here will be removed from a recipe's
 # build history directory by buildhistory_emit_pkghistory(). This is
 # necessary because some of these items (package directories, files that
 # we no longer emit) might be obsolete.
 #
-# When extending build history, derive your class from buildhistory.bbclass
+# The files listed here are either written by tasks that aren't do_package (e.g.
-# and extend this list here with the additional files created by the derived
+# latest_srcrev from do_fetch) so do_package must not remove them, or, they're
-# class.
+# used to read values in do_package before always being overwritten, e.g. latest,
+# for version backwards checks.
 BUILDHISTORY_PRESERVE = "latest latest_srcrev sysroot"
 PATCH_GIT_USER_EMAIL ?= "buildhistory@oe"
@@ -91,28 +77,16 @@ buildhistory_emit_sysroot() {
 # Write out metadata about this package for comparison when writing future packages
 #
 python buildhistory_emit_pkghistory() {
-    if d.getVar('BB_CURRENTTASK') in ['populate_sysroot', 'populate_sysroot_setscene']:
-        bb.build.exec_func("buildhistory_emit_sysroot", d)
-        return 0
-    if not "package" in (d.getVar('BUILDHISTORY_FEATURES') or "").split():
-        return 0
-    if d.getVar('BB_CURRENTTASK') in ['package', 'package_setscene']:
-        # Create files-in-<package-name>.txt files containing a list of files of each recipe's package
-        bb.build.exec_func("buildhistory_list_pkg_files", d)
-        return 0
-    if not d.getVar('BB_CURRENTTASK') in ['packagedata', 'packagedata_setscene']:
-        return 0
    import re
    import json
    import shlex
    import errno
+    import shutil
+    if not "package" in (d.getVar('BUILDHISTORY_FEATURES') or "").split():
+        return 0
    pkghistdir = d.getVar('BUILDHISTORY_DIR_PACKAGE')
-    oldpkghistdir = d.getVar('BUILDHISTORY_OLD_DIR_PACKAGE')
    class RecipeInfo:
        def __init__(self, name):
@@ -153,7 +127,7 @@ python buildhistory_emit_pkghistory() {
            # Variables that need to be written to their own separate file
            self.filevars = dict.fromkeys(['pkg_preinst', 'pkg_postinst', 'pkg_prerm', 'pkg_postrm'])
-    # Should check PACKAGES here to see if anything removed
+    # Should check PACKAGES here to see if anything was removed
    def readPackageInfo(pkg, histfile):
        pkginfo = PackageInfo(pkg)
@@ -207,7 +181,7 @@ python buildhistory_emit_pkghistory() {
    def getlastpkgversion(pkg):
        try:
-            histfile = os.path.join(oldpkghistdir, pkg, "latest")
+            histfile = os.path.join(pkghistdir, pkg, "latest")
            return readPackageInfo(pkg, histfile)
        except EnvironmentError:
            return None
@@ -535,7 +509,7 @@ buildhistory_get_installed() {
                grep -v kernel-module $1/depends-nokernel-nolibc-noupdate.dot > $1/depends-nokernel-nolibc-noupdate-nomodules.dot
        fi
-        # add complementary package information
+        # Add complementary package information
        if [ -e ${WORKDIR}/complementary_pkgs.txt ]; then
                cp ${WORKDIR}/complementary_pkgs.txt $1
        fi
@@ -573,7 +547,7 @@ buildhistory_get_sdk_installed_target() {
 buildhistory_list_files() {
        # List the files in the specified directory, but exclude date/time etc.
-        # This is somewhat messy, but handles where the size is not printed for device files under pseudo
+        # This is somewhat messy, but handles cases where the size is not printed for device files under pseudo
        ( cd $1
        find_cmd='find . ! -path . -printf "%M %-10u %-10g %10s %p -> %l\n"'
        if [ "$3" = "fakeroot" ] ; then
@@ -587,7 +561,7 @@ buildhistory_list_files_no_owners() {
        # List the files in the specified directory, but exclude date/time etc.
        # Also don't output the ownership data, but instead output just - - so
        # that the same parsing code as for _list_files works.
-        # This is somewhat messy, but handles where the size is not printed for device files under pseudo
+        # This is somewhat messy, but handles cases where the size is not printed for device files under pseudo
        ( cd $1
        find_cmd='find . ! -path . -printf "%M -          -          %10s %p -> %l\n"'
        if [ "$3" = "fakeroot" ] ; then
@@ -598,16 +572,17 @@ buildhistory_list_files_no_owners() {
 }
 buildhistory_list_pkg_files() {
+        if [ "${@bb.utils.contains('BUILDHISTORY_FEATURES', 'package', '1', '0', d)}" = "0" ] ; then
+                return
+        fi
        # Create individual files-in-package for each recipe's package
-        for pkgdir in $(find ${PKGDEST}/* -maxdepth 0 -type d); do
+        pkgdirlist=$(find ${PKGDEST}/* -maxdepth 0 -type d)
+        for pkgdir in $pkgdirlist; do
                pkgname=$(basename $pkgdir)
                outfolder="${BUILDHISTORY_DIR_PACKAGE}/$pkgname"
                outfile="$outfolder/files-in-package.txt"
-                # Make sure the output folder exists so we can create the file
+                mkdir -p $outfolder
-                if [ ! -d $outfolder ] ; then
-                        bbdebug 2 "Folder $outfolder does not exist, file $outfile not created"
-                        continue
-                fi
                buildhistory_list_files $pkgdir $outfile fakeroot
        done
 }
@@ -842,9 +817,9 @@ END
                if [ ! -e .git ] ; then
                        git init -q
                else
-                        git tag -f ${BUILDHISTORY_TAG}-minus-3 ${BUILDHISTORY_TAG}-minus-2 > /dev/null 2>&1 || true
+                        git tag -f --no-sign ${BUILDHISTORY_TAG}-minus-3 ${BUILDHISTORY_TAG}-minus-2 > /dev/null 2>&1 || true
-                        git tag -f ${BUILDHISTORY_TAG}-minus-2 ${BUILDHISTORY_TAG}-minus-1 > /dev/null 2>&1 || true
+                        git tag -f --no-sign ${BUILDHISTORY_TAG}-minus-2 ${BUILDHISTORY_TAG}-minus-1 > /dev/null 2>&1 || true
-                        git tag -f ${BUILDHISTORY_TAG}-minus-1 > /dev/null 2>&1 || true
+                        git tag -f --no-sign ${BUILDHISTORY_TAG}-minus-1 > /dev/null 2>&1 || true
                fi
                check_git_config
@@ -855,10 +830,9 @@ END
                CMDLINE="${@buildhistory_get_cmdline(d)}"
                if [ "$repostatus" != "" ] ; then
                        git add -A .
-                        # porcelain output looks like "?? packages/foo/bar"
+                        # Porcelain output looks like "?? packages/foo/bar"
                        # Ensure we commit metadata-revs with the first commit
                        buildhistory_single_commit "$CMDLINE" "$HOSTNAME" dummy
-                        git gc --auto --quiet
                else
                        buildhistory_single_commit "$CMDLINE" "$HOSTNAME"
                fi
@@ -869,25 +843,7 @@ END
 python buildhistory_eventhandler() {
    if (e.data.getVar('BUILDHISTORY_FEATURES') or "").strip():
-        reset = e.data.getVar("BUILDHISTORY_RESET")
+        if isinstance(e, bb.event.BuildCompleted):
-        olddir = e.data.getVar("BUILDHISTORY_OLD_DIR")
-        if isinstance(e, bb.event.BuildStarted):
-            if reset:
-                import shutil
-                # Clean up after potentially interrupted build.
-                if os.path.isdir(olddir):
-                    shutil.rmtree(olddir)
-                rootdir = e.data.getVar("BUILDHISTORY_DIR")
-                bb.utils.mkdirhier(rootdir)
-                entries = [ x for x in os.listdir(rootdir) if not x.startswith('.') ]
-                bb.utils.mkdirhier(olddir)
-                for entry in entries:
-                    bb.utils.rename(os.path.join(rootdir, entry),
-                              os.path.join(olddir, entry))
-        elif isinstance(e, bb.event.BuildCompleted):
-            if reset:
-                import shutil
-                shutil.rmtree(olddir)
            if e.data.getVar("BUILDHISTORY_COMMIT") == "1":
                bb.note("Writing buildhistory")
                bb.build.exec_func("buildhistory_write_sigs", d)
@@ -925,13 +881,12 @@ def _get_srcrev_values(d):
    dict_tag_srcrevs = {}
    for scm in scms:
        ud = urldata[scm]
-        for name in ud.names:
+        autoinc, rev = ud.method.sortable_revision(ud, d, ud.name)
-            autoinc, rev = ud.method.sortable_revision(ud, d, name)
+        dict_srcrevs[ud.name] = rev
-            dict_srcrevs[name] = rev
+        if 'tag' in ud.parm:
-            if 'tag' in ud.parm:
+            tag = ud.parm['tag'];
-                tag = ud.parm['tag'];
+            key = ud.name+'_'+tag
-                key = name+'_'+tag
+            dict_tag_srcrevs[key] = rev
-                dict_tag_srcrevs[key] = rev
    return (dict_srcrevs, dict_tag_srcrevs)
 do_fetch[postfuncs] += "write_srcrev"
@@ -990,7 +945,7 @@ def write_latest_ptest_result(d, histdir):
    output_ptest = os.path.join(histdir, 'ptest')
    if os.path.exists(input_ptest):
        try:
-            # Lock it avoid race issue
+            # Lock it to avoid race issue
            lock = bb.utils.lockfile(output_ptest + "/ptest.lock")
            bb.utils.mkdirhier(output_ptest)
            oe.path.copytree(input_ptest, output_ptest)
diff --git a/meta/classes/create-spdx-2.2.bbclass b/meta/classes/create-spdx-2.2.bbclass
index 7c8a0b8b0f..94e0108815 100644
--- a/meta/classes/create-spdx-2.2.bbclass
+++ b/meta/classes/create-spdx-2.2.bbclass
@@ -4,36 +4,9 @@
 # SPDX-License-Identifier: GPL-2.0-only
 #
-DEPLOY_DIR_SPDX ??= "${DEPLOY_DIR}/spdx"
+inherit spdx-common
-# The product name that the CVE database uses.  Defaults to BPN, but may need to
+SPDX_VERSION = "2.2"
-# be overriden per recipe (for example tiff.bb sets CVE_PRODUCT=libtiff).
-CVE_PRODUCT ??= "${BPN}"
-CVE_VERSION ??= "${PV}"
-SPDXDIR ??= "${WORKDIR}/spdx"
-SPDXDEPLOY = "${SPDXDIR}/deploy"
-SPDXWORK = "${SPDXDIR}/work"
-SPDXIMAGEWORK = "${SPDXDIR}/image-work"
-SPDXSDKWORK = "${SPDXDIR}/sdk-work"
-SPDXDEPS = "${SPDXDIR}/deps.json"
-SPDX_TOOL_NAME ??= "oe-spdx-creator"
-SPDX_TOOL_VERSION ??= "1.0"
-SPDXRUNTIMEDEPLOY = "${SPDXDIR}/runtime-deploy"
-SPDX_INCLUDE_SOURCES ??= "0"
-SPDX_ARCHIVE_SOURCES ??= "0"
-SPDX_ARCHIVE_PACKAGED ??= "0"
-SPDX_UUID_NAMESPACE ??= "sbom.openembedded.org"
-SPDX_NAMESPACE_PREFIX ??= "http://spdx.org/spdxdocs"
-SPDX_PRETTY ??= "0"
-SPDX_LICENSES ??= "${COREBASE}/meta/files/spdx-licenses.json"
-SPDX_CUSTOM_ANNOTATION_VARS ??= ""
 SPDX_ORG ??= "OpenEmbedded ()"
 SPDX_SUPPLIER ??= "Organization: ${SPDX_ORG}"
@@ -42,27 +15,16 @@ SPDX_SUPPLIER[doc] = "The SPDX PackageSupplier field for SPDX packages created f
    is the contact information for the person or organization who is doing the \
    build."
-def extract_licenses(filename):
+SPDX_ARCHIVE_SOURCES ??= "0"
-    import re
+SPDX_ARCHIVE_PACKAGED ??= "0"
-    lic_regex = re.compile(rb'^\W*SPDX-License-Identifier:\s*([ \w\d.()+-]+?)(?:\s+\W*)?$', re.MULTILINE)
-    try:
-        with open(filename, 'rb') as f:
-            size = min(15000, os.stat(filename).st_size)
-            txt = f.read(size)
-            licenses = re.findall(lic_regex, txt)
-            if licenses:
-                ascii_licenses = [lic.decode('ascii') for lic in licenses]
-                return ascii_licenses
-    except Exception as e:
-        bb.warn(f"Exception reading {filename}: {e}")
-    return None
-def get_doc_namespace(d, doc):
+def get_namespace(d, name):
    import uuid
    namespace_uuid = uuid.uuid5(uuid.NAMESPACE_DNS, d.getVar("SPDX_UUID_NAMESPACE"))
-    return "%s/%s-%s" % (d.getVar("SPDX_NAMESPACE_PREFIX"), doc.name, str(uuid.uuid5(namespace_uuid, doc.name)))
+    return "%s/%s-%s" % (d.getVar("SPDX_NAMESPACE_PREFIX"), name, str(uuid.uuid5(namespace_uuid, name)))
+SPDX_PACKAGE_VERSION ??= "${PV}"
+SPDX_PACKAGE_VERSION[doc] = "The version of a package, versionInfo in recipe, package and image"
 def create_annotation(d, comment):
    from datetime import datetime, timezone
@@ -80,31 +42,16 @@ def recipe_spdx_is_native(d, recipe):
      a.annotator == "Tool: %s - %s" % (d.getVar("SPDX_TOOL_NAME"), d.getVar("SPDX_TOOL_VERSION")) and
      a.comment == "isNative" for a in recipe.annotations)
-def is_work_shared_spdx(d):
-    return bb.data.inherits_class('kernel', d) or ('work-shared' in d.getVar('WORKDIR'))
 def get_json_indent(d):
    if d.getVar("SPDX_PRETTY") == "1":
        return 2
    return None
-python() {
-    import json
-    if d.getVar("SPDX_LICENSE_DATA"):
-        return
-    with open(d.getVar("SPDX_LICENSES"), "r") as f:
-        data = json.load(f)
-        # Transform the license array to a dictionary
-        data["licenses"] = {l["licenseId"]: l for l in data["licenses"]}
-        d.setVar("SPDX_LICENSE_DATA", data)
-}
-def convert_license_to_spdx(lic, document, d, existing={}):
+def convert_license_to_spdx(lic, license_data, document, d, existing={}):
    from pathlib import Path
    import oe.spdx
-    license_data = d.getVar("SPDX_LICENSE_DATA")
    extracted = {}
    def add_extracted_license(ident, name):
@@ -132,11 +79,17 @@ def convert_license_to_spdx(lic, document, d, existing={}):
                    pass
            if extracted_info.extractedText is None:
                # If it's not SPDX or PD, then NO_GENERIC_LICENSE must be set
-                filename = d.getVarFlag('NO_GENERIC_LICENSE', name)
+                entry = d.getVarFlag('NO_GENERIC_LICENSE', name).split(';')
+                filename = entry[0]
+                params = {i.split('=')[0]: i.split('=')[1] for i in entry[1:] if '=' in i}
+                beginline = int(params.get('beginline', 1))
+                endline = params.get('endline', None)
+                if endline:
+                    endline = int(endline)
                if filename:
                    filename = d.expand("${S}/" + filename)
                    with open(filename, errors="replace") as f:
-                        extracted_info.extractedText = f.read()
+                        extracted_info.extractedText = "".join(line for idx, line in enumerate(f, 1) if beginline <= idx and idx <= (endline or idx))
                else:
                    bb.fatal("Cannot find any text for license %s" % name)
@@ -172,37 +125,10 @@ def convert_license_to_spdx(lic, document, d, existing={}):
    return ' '.join(convert(l) for l in lic_split)
-def process_sources(d):
-    pn = d.getVar('PN')
-    assume_provided = (d.getVar("ASSUME_PROVIDED") or "").split()
-    if pn in assume_provided:
-        for p in d.getVar("PROVIDES").split():
-            if p != pn:
-                pn = p
-                break
-    # glibc-locale: do_fetch, do_unpack and do_patch tasks have been deleted,
-    # so avoid archiving source here.
-    if pn.startswith('glibc-locale'):
-        return False
-    if d.getVar('PN') == "libtool-cross":
-        return False
-    if d.getVar('PN') == "libgcc-initial":
-        return False
-    if d.getVar('PN') == "shadow-sysroot":
-        return False
-    # We just archive gcc-source for all the gcc related recipes
-    if d.getVar('BPN') in ['gcc', 'libgcc']:
-        bb.debug(1, 'spdx: There is bug in scan of %s is, do nothing' % pn)
-        return False
-    return True
 def add_package_files(d, doc, spdx_pkg, topdir, get_spdxid, get_types, *, archive=None, ignore_dirs=[], ignore_top_level_dirs=[]):
    from pathlib import Path
    import oe.spdx
+    import oe.spdx_common
    import hashlib
    source_date_epoch = d.getVar("SOURCE_DATE_EPOCH")
@@ -213,6 +139,11 @@ def add_package_files(d, doc, spdx_pkg, topdir, get_spdxid, get_types, *, archiv
    spdx_files = []
    file_counter = 1
+    check_compiled_sources = d.getVar("SPDX_INCLUDE_COMPILED_SOURCES") == "1"
+    if check_compiled_sources:
+        compiled_sources, types = oe.spdx_common.get_compiled_sources(d)
+        bb.debug(1, f"Total compiled files: {len(compiled_sources)}")
    for subdir, dirs, files in os.walk(topdir):
        dirs[:] = [d for d in dirs if d not in ignore_dirs]
        if subdir == str(topdir):
@@ -223,6 +154,10 @@ def add_package_files(d, doc, spdx_pkg, topdir, get_spdxid, get_types, *, archiv
            filename = str(filepath.relative_to(topdir))
            if not filepath.is_symlink() and filepath.is_file():
+                # Check if file is compiled
+                if check_compiled_sources:
+                     if not oe.spdx_common.is_compiled_source(filename, compiled_sources, types):
+                          continue
                spdx_file = oe.spdx.SPDXFile()
                spdx_file.SPDXID = get_spdxid(file_counter)
                for t in get_types(filepath):
@@ -255,7 +190,7 @@ def add_package_files(d, doc, spdx_pkg, topdir, get_spdxid, get_types, *, archiv
                    ))
                if "SOURCE" in spdx_file.fileTypes:
-                    extracted_lics = extract_licenses(filepath)
+                    extracted_lics = oe.spdx_common.extract_licenses(filepath)
                    if extracted_lics:
                        spdx_file.licenseInfoInFiles = extracted_lics
@@ -313,7 +248,8 @@ def add_package_sources_from_debug(d, package_doc, spdx_package, package, packag
                    debugsrc_path = search / debugsrc.replace('/usr/src/kernel/', '')
                else:
                    debugsrc_path = search / debugsrc.lstrip("/")
-                if not debugsrc_path.exists():
+                # We can only hash files below, skip directories, links, etc.
+                if not os.path.isfile(debugsrc_path):
                    continue
                file_sha256 = bb.utils.sha256_file(debugsrc_path)
@@ -346,32 +282,31 @@ def collect_dep_recipes(d, doc, spdx_recipe):
    from pathlib import Path
    import oe.sbom
    import oe.spdx
+    import oe.spdx_common
    deploy_dir_spdx = Path(d.getVar("DEPLOY_DIR_SPDX"))
-    spdx_deps_file = Path(d.getVar("SPDXDEPS"))
+    package_archs = d.getVar("SPDX_MULTILIB_SSTATE_ARCHS").split()
-    package_archs = d.getVar("SSTATE_ARCHS").split()
    package_archs.reverse()
    dep_recipes = []
-    with spdx_deps_file.open("r") as f:
+    deps = oe.spdx_common.get_spdx_deps(d)
-        deps = json.load(f)
-    for dep_pn, dep_hashfn, in_taskhash in deps:
+    for dep in deps:
        # If this dependency is not calculated in the taskhash skip it.
        # Otherwise, it can result in broken links since this task won't
        # rebuild and see the new SPDX ID if the dependency changes
-        if not in_taskhash:
+        if not dep.in_taskhash:
            continue
-        dep_recipe_path = oe.sbom.doc_find_by_hashfn(deploy_dir_spdx, package_archs, "recipe-" + dep_pn, dep_hashfn)
+        dep_recipe_path = oe.sbom.doc_find_by_hashfn(deploy_dir_spdx, package_archs, "recipe-" + dep.pn, dep.hashfn)
        if not dep_recipe_path:
-            bb.fatal("Cannot find any SPDX file for recipe %s, %s" % (dep_pn, dep_hashfn))
+            bb.fatal("Cannot find any SPDX file for recipe %s, %s" % (dep.pn, dep.hashfn))
        spdx_dep_doc, spdx_dep_sha1 = oe.sbom.read_doc(dep_recipe_path)
        for pkg in spdx_dep_doc.packages:
-            if pkg.name == dep_pn:
+            if pkg.name == dep.pn:
                spdx_dep_recipe = pkg
                break
        else:
@@ -395,7 +330,7 @@ def collect_dep_recipes(d, doc, spdx_recipe):
    return dep_recipes
-collect_dep_recipes[vardepsexclude] = "SSTATE_ARCHS"
+collect_dep_recipes[vardepsexclude] = "SPDX_MULTILIB_SSTATE_ARCHS"
 def collect_dep_sources(d, dep_recipes):
    import oe.sbom
@@ -430,99 +365,52 @@ def add_download_packages(d, doc, recipe):
    for download_idx, src_uri in enumerate(d.getVar('SRC_URI').split()):
        f = bb.fetch2.FetchData(src_uri, d)
-        for name in f.names:
+        package = oe.spdx.SPDXPackage()
-            package = oe.spdx.SPDXPackage()
+        package.name = "%s-source-%d" % (d.getVar("PN"), download_idx + 1)
-            package.name = "%s-source-%d" % (d.getVar("PN"), download_idx + 1)
+        package.SPDXID = oe.sbom.get_download_spdxid(d, download_idx + 1)
-            package.SPDXID = oe.sbom.get_download_spdxid(d, download_idx + 1)
-            if f.type == "file":
+        if f.type == "file":
-                continue
+            continue
-            uri = f.type
+        if f.method.supports_checksum(f):
-            proto = getattr(f, "proto", None)
+            for checksum_id in CHECKSUM_LIST:
-            if proto is not None:
+                if checksum_id.upper() not in oe.spdx.SPDXPackage.ALLOWED_CHECKSUMS:
-                uri = uri + "+" + proto
+                    continue
-            uri = uri + "://" + f.host + f.path
-            if f.method.supports_srcrev():
-                uri = uri + "@" + f.revisions[name]
-            if f.method.supports_checksum(f):
-                for checksum_id in CHECKSUM_LIST:
-                    if checksum_id.upper() not in oe.spdx.SPDXPackage.ALLOWED_CHECKSUMS:
-                        continue
-                    expected_checksum = getattr(f, "%s_expected" % checksum_id)
-                    if expected_checksum is None:
-                        continue
-                    c = oe.spdx.SPDXChecksum()
-                    c.algorithm = checksum_id.upper()
-                    c.checksumValue = expected_checksum
-                    package.checksums.append(c)
-            package.downloadLocation = uri
-            doc.packages.append(package)
-            doc.add_relationship(doc, "DESCRIBES", package)
-            # In the future, we might be able to do more fancy dependencies,
-            # but this should be sufficient for now
-            doc.add_relationship(package, "BUILD_DEPENDENCY_OF", recipe)
-def collect_direct_deps(d, dep_task):
-    current_task = "do_" + d.getVar("BB_CURRENTTASK")
-    pn = d.getVar("PN")
-    taskdepdata = d.getVar("BB_TASKDEPDATA", False)
-    for this_dep in taskdepdata.values():
-        if this_dep[0] == pn and this_dep[1] == current_task:
-            break
-    else:
-        bb.fatal(f"Unable to find this {pn}:{current_task} in taskdepdata")
-    deps = set()
-    for dep_name in this_dep[3]:
-        dep_data = taskdepdata[dep_name]
-        if dep_data[1] == dep_task and dep_data[0] != pn:
-            deps.add((dep_data[0], dep_data[7], dep_name in this_dep[8]))
-    return sorted(deps)
-collect_direct_deps[vardepsexclude] += "BB_TASKDEPDATA"
-collect_direct_deps[vardeps] += "DEPENDS"
-python do_collect_spdx_deps() {
-    # This task calculates the build time dependencies of the recipe, and is
-    # required because while a task can deptask on itself, those dependencies
-    # do not show up in BB_TASKDEPDATA. To work around that, this task does the
-    # deptask on do_create_spdx and writes out the dependencies it finds, then
-    # do_create_spdx reads in the found dependencies when writing the actual
-    # SPDX document
-    import json
-    from pathlib import Path
-    spdx_deps_file = Path(d.getVar("SPDXDEPS"))
+                expected_checksum = getattr(f, "%s_expected" % checksum_id)
+                if expected_checksum is None:
+                    continue
-    deps = collect_direct_deps(d, "do_create_spdx")
+                c = oe.spdx.SPDXChecksum()
+                c.algorithm = checksum_id.upper()
+                c.checksumValue = expected_checksum
+                package.checksums.append(c)
+        package.downloadLocation = oe.spdx_common.fetch_data_to_uri(f, f.name)
+        doc.packages.append(package)
+        doc.add_relationship(doc, "DESCRIBES", package)
+        # In the future, we might be able to do more fancy dependencies,
+        # but this should be sufficient for now
+        doc.add_relationship(package, "BUILD_DEPENDENCY_OF", recipe)
+def get_license_list_version(license_data, d):
+    # Newer versions of the SPDX license list are SemVer ("MAJOR.MINOR.MICRO"),
+    # but SPDX 2 only uses "MAJOR.MINOR".
+    return ".".join(license_data["licenseListVersion"].split(".")[:2])
-    with spdx_deps_file.open("w") as f:
-        json.dump(deps, f)
-}
-# NOTE: depending on do_unpack is a hack that is necessary to get it's dependencies for archive the source
-addtask do_collect_spdx_deps after do_unpack
-do_collect_spdx_deps[depends] += "${PATCHDEPENDENCY}"
-do_collect_spdx_deps[deptask] = "do_create_spdx"
-do_collect_spdx_deps[dirs] = "${SPDXDIR}"
 python do_create_spdx() {
    from datetime import datetime, timezone
    import oe.sbom
    import oe.spdx
+    import oe.spdx_common
    import uuid
    from pathlib import Path
    from contextlib import contextmanager
    import oe.cve_check
+    license_data = oe.spdx_common.load_spdx_license_data(d)
    @contextmanager
    def optional_tarfile(name, guard, mode="w"):
        import tarfile
@@ -551,17 +439,17 @@ python do_create_spdx() {
    doc = oe.spdx.SPDXDocument()
    doc.name = "recipe-" + d.getVar("PN")
-    doc.documentNamespace = get_doc_namespace(d, doc)
+    doc.documentNamespace = get_namespace(d, doc.name)
    doc.creationInfo.created = creation_time
    doc.creationInfo.comment = "This document was created by analyzing recipe files during the build."
-    doc.creationInfo.licenseListVersion = d.getVar("SPDX_LICENSE_DATA")["licenseListVersion"]
+    doc.creationInfo.licenseListVersion = get_license_list_version(license_data, d)
    doc.creationInfo.creators.append("Tool: OpenEmbedded Core create-spdx.bbclass")
    doc.creationInfo.creators.append("Organization: %s" % d.getVar("SPDX_ORG"))
    doc.creationInfo.creators.append("Person: N/A ()")
    recipe = oe.spdx.SPDXPackage()
    recipe.name = d.getVar("PN")
-    recipe.versionInfo = d.getVar("PV")
+    recipe.versionInfo = d.getVar("SPDX_PACKAGE_VERSION")
    recipe.SPDXID = oe.sbom.get_recipe_spdxid(d)
    recipe.supplier = d.getVar("SPDX_SUPPLIER")
    if bb.data.inherits_class("native", d) or bb.data.inherits_class("cross", d):
@@ -573,7 +461,7 @@ python do_create_spdx() {
    license = d.getVar("LICENSE")
    if license:
-        recipe.licenseDeclared = convert_license_to_spdx(license, doc, d)
+        recipe.licenseDeclared = convert_license_to_spdx(license, license_data, doc, d)
    summary = d.getVar("SUMMARY")
    if summary:
@@ -610,10 +498,10 @@ python do_create_spdx() {
    add_download_packages(d, doc, recipe)
-    if process_sources(d) and include_sources:
+    if oe.spdx_common.process_sources(d) and include_sources:
        recipe_archive = deploy_dir_spdx / "recipes" / (doc.name + ".tar.zst")
        with optional_tarfile(recipe_archive, archive_sources) as archive:
-            spdx_get_src(d)
+            oe.spdx_common.get_patched_src(d)
            add_package_files(
                d,
@@ -655,10 +543,10 @@ python do_create_spdx() {
            package_doc = oe.spdx.SPDXDocument()
            pkg_name = d.getVar("PKG:%s" % package) or package
            package_doc.name = pkg_name
-            package_doc.documentNamespace = get_doc_namespace(d, package_doc)
+            package_doc.documentNamespace = get_namespace(d, package_doc.name)
            package_doc.creationInfo.created = creation_time
            package_doc.creationInfo.comment = "This document was created by analyzing packages created during the build."
-            package_doc.creationInfo.licenseListVersion = d.getVar("SPDX_LICENSE_DATA")["licenseListVersion"]
+            package_doc.creationInfo.licenseListVersion = get_license_list_version(license_data, d)
            package_doc.creationInfo.creators.append("Tool: OpenEmbedded Core create-spdx.bbclass")
            package_doc.creationInfo.creators.append("Organization: %s" % d.getVar("SPDX_ORG"))
            package_doc.creationInfo.creators.append("Person: N/A ()")
@@ -670,8 +558,8 @@ python do_create_spdx() {
            spdx_package.SPDXID = oe.sbom.get_package_spdxid(pkg_name)
            spdx_package.name = pkg_name
-            spdx_package.versionInfo = d.getVar("PV")
+            spdx_package.versionInfo = d.getVar("SPDX_PACKAGE_VERSION")
-            spdx_package.licenseDeclared = convert_license_to_spdx(package_license, package_doc, d, found_licenses)
+            spdx_package.licenseDeclared = convert_license_to_spdx(package_license, license_data, package_doc, d, found_licenses)
            spdx_package.supplier = d.getVar("SPDX_SUPPLIER")
            package_doc.packages.append(spdx_package)
@@ -714,50 +602,16 @@ addtask do_create_spdx_setscene
 do_create_spdx[dirs] = "${SPDXWORK}"
 do_create_spdx[cleandirs] = "${SPDXDEPLOY} ${SPDXWORK}"
-do_create_spdx[depends] += "${PATCHDEPENDENCY}"
+do_create_spdx[depends] += " \
+    ${PATCHDEPENDENCY} \
-def collect_package_providers(d):
+    ${@create_spdx_source_deps(d)} \
-    from pathlib import Path
+"
-    import oe.sbom
-    import oe.spdx
-    import json
-    deploy_dir_spdx = Path(d.getVar("DEPLOY_DIR_SPDX"))
-    providers = {}
-    deps = collect_direct_deps(d, "do_create_spdx")
-    deps.append((d.getVar("PN"), d.getVar("BB_HASHFILENAME"), True))
-    for dep_pn, dep_hashfn, _ in deps:
-        localdata = d
-        recipe_data = oe.packagedata.read_pkgdata(dep_pn, localdata)
-        if not recipe_data:
-            localdata = bb.data.createCopy(d)
-            localdata.setVar("PKGDATA_DIR", "${PKGDATA_DIR_SDK}")
-            recipe_data = oe.packagedata.read_pkgdata(dep_pn, localdata)
-        for pkg in recipe_data.get("PACKAGES", "").split():
-            pkg_data = oe.packagedata.read_subpkgdata_dict(pkg, localdata)
-            rprovides = set(n for n, _ in bb.utils.explode_dep_versions2(pkg_data.get("RPROVIDES", "")).items())
-            rprovides.add(pkg)
-            if "PKG" in pkg_data:
-                pkg = pkg_data["PKG"]
-                rprovides.add(pkg)
-            for r in rprovides:
-                providers[r] = (pkg, dep_hashfn)
-    return providers
-collect_package_providers[vardepsexclude] += "BB_TASKDEPDATA"
 python do_create_runtime_spdx() {
    from datetime import datetime, timezone
    import oe.sbom
    import oe.spdx
+    import oe.spdx_common
    import oe.packagedata
    from pathlib import Path
@@ -767,9 +621,11 @@ python do_create_runtime_spdx() {
    creation_time = datetime.now(tz=timezone.utc).strftime("%Y-%m-%dT%H:%M:%SZ")
-    providers = collect_package_providers(d)
+    license_data = oe.spdx_common.load_spdx_license_data(d)
+    providers = oe.spdx_common.collect_package_providers(d)
    pkg_arch = d.getVar("SSTATE_PKGARCH")
-    package_archs = d.getVar("SSTATE_ARCHS").split()
+    package_archs = d.getVar("SPDX_MULTILIB_SSTATE_ARCHS").split()
    package_archs.reverse()
    if not is_native:
@@ -800,10 +656,10 @@ python do_create_runtime_spdx() {
            runtime_doc = oe.spdx.SPDXDocument()
            runtime_doc.name = "runtime-" + pkg_name
-            runtime_doc.documentNamespace = get_doc_namespace(localdata, runtime_doc)
+            runtime_doc.documentNamespace = get_namespace(localdata, runtime_doc.name)
            runtime_doc.creationInfo.created = creation_time
            runtime_doc.creationInfo.comment = "This document was created by analyzing package runtime dependencies."
-            runtime_doc.creationInfo.licenseListVersion = d.getVar("SPDX_LICENSE_DATA")["licenseListVersion"]
+            runtime_doc.creationInfo.licenseListVersion = get_license_list_version(license_data, d)
            runtime_doc.creationInfo.creators.append("Tool: OpenEmbedded Core create-spdx.bbclass")
            runtime_doc.creationInfo.creators.append("Organization: %s" % d.getVar("SPDX_ORG"))
            runtime_doc.creationInfo.creators.append("Person: N/A ()")
@@ -875,7 +731,7 @@ python do_create_runtime_spdx() {
            oe.sbom.write_doc(d, runtime_doc, pkg_arch, "runtime", spdx_deploy, indent=get_json_indent(d))
 }
-do_create_runtime_spdx[vardepsexclude] += "OVERRIDES SSTATE_ARCHS"
+do_create_runtime_spdx[vardepsexclude] += "OVERRIDES SPDX_MULTILIB_SSTATE_ARCHS"
 addtask do_create_runtime_spdx after do_create_spdx before do_build do_rm_work
 SSTATETASKS += "do_create_runtime_spdx"
@@ -891,60 +747,6 @@ do_create_runtime_spdx[dirs] = "${SPDXRUNTIMEDEPLOY}"
 do_create_runtime_spdx[cleandirs] = "${SPDXRUNTIMEDEPLOY}"
 do_create_runtime_spdx[rdeptask] = "do_create_spdx"
-def spdx_get_src(d):
-    """
-    save patched source of the recipe in SPDX_WORKDIR.
-    """
-    import shutil
-    spdx_workdir = d.getVar('SPDXWORK')
-    spdx_sysroot_native = d.getVar('STAGING_DIR_NATIVE')
-    pn = d.getVar('PN')
-    workdir = d.getVar("WORKDIR")
-    try:
-        # The kernel class functions require it to be on work-shared, so we dont change WORKDIR
-        if not is_work_shared_spdx(d):
-            # Change the WORKDIR to make do_unpack do_patch run in another dir.
-            d.setVar('WORKDIR', spdx_workdir)
-            # Restore the original path to recipe's native sysroot (it's relative to WORKDIR).
-            d.setVar('STAGING_DIR_NATIVE', spdx_sysroot_native)
-            # The changed 'WORKDIR' also caused 'B' changed, create dir 'B' for the
-            # possibly requiring of the following tasks (such as some recipes's
-            # do_patch required 'B' existed).
-            bb.utils.mkdirhier(d.getVar('B'))
-            bb.build.exec_func('do_unpack', d)
-        # Copy source of kernel to spdx_workdir
-        if is_work_shared_spdx(d):
-            share_src = d.getVar('WORKDIR')
-            d.setVar('WORKDIR', spdx_workdir)
-            d.setVar('STAGING_DIR_NATIVE', spdx_sysroot_native)
-            src_dir = spdx_workdir + "/" + d.getVar('PN')+ "-" + d.getVar('PV') + "-" + d.getVar('PR')
-            bb.utils.mkdirhier(src_dir)
-            if bb.data.inherits_class('kernel',d):
-                share_src = d.getVar('STAGING_KERNEL_DIR')
-            cmd_copy_share = "cp -rf " + share_src + "/* " + src_dir + "/"
-            cmd_copy_shared_res = os.popen(cmd_copy_share).read()
-            bb.note("cmd_copy_shared_result = " + cmd_copy_shared_res)
-            git_path = src_dir + "/.git"
-            if os.path.exists(git_path):
-                shutils.rmtree(git_path)
-        # Make sure gcc and kernel sources are patched only once
-        if not (d.getVar('SRC_URI') == "" or is_work_shared_spdx(d)):
-            bb.build.exec_func('do_patch', d)
-        # Some userland has no source.
-        if not os.path.exists( spdx_workdir ):
-            bb.utils.mkdirhier(spdx_workdir)
-    finally:
-        d.setVar("WORKDIR", workdir)
-spdx_get_src[vardepsexclude] += "STAGING_KERNEL_DIR"
 do_rootfs[recrdeptask] += "do_create_spdx do_create_runtime_spdx"
 do_rootfs[cleandirs] += "${SPDXIMAGEWORK}"
@@ -1002,6 +804,7 @@ def combine_spdx(d, rootfs_name, rootfs_deploydir, rootfs_spdxid, packages, spdx
    import os
    import oe.spdx
    import oe.sbom
+    import oe.spdx_common
    import io
    import json
    from datetime import timezone, datetime
@@ -1009,8 +812,10 @@ def combine_spdx(d, rootfs_name, rootfs_deploydir, rootfs_spdxid, packages, spdx
    import tarfile
    import bb.compress.zstd
-    providers = collect_package_providers(d)
+    license_data = oe.spdx_common.load_spdx_license_data(d)
-    package_archs = d.getVar("SSTATE_ARCHS").split()
+    providers = oe.spdx_common.collect_package_providers(d)
+    package_archs = d.getVar("SPDX_MULTILIB_SSTATE_ARCHS").split()
    package_archs.reverse()
    creation_time = datetime.now(tz=timezone.utc).strftime("%Y-%m-%dT%H:%M:%SZ")
@@ -1019,68 +824,69 @@ def combine_spdx(d, rootfs_name, rootfs_deploydir, rootfs_spdxid, packages, spdx
    doc = oe.spdx.SPDXDocument()
    doc.name = rootfs_name
-    doc.documentNamespace = get_doc_namespace(d, doc)
+    doc.documentNamespace = get_namespace(d, doc.name)
    doc.creationInfo.created = creation_time
    doc.creationInfo.comment = "This document was created by analyzing the source of the Yocto recipe during the build."
-    doc.creationInfo.licenseListVersion = d.getVar("SPDX_LICENSE_DATA")["licenseListVersion"]
+    doc.creationInfo.licenseListVersion = get_license_list_version(license_data, d)
    doc.creationInfo.creators.append("Tool: OpenEmbedded Core create-spdx.bbclass")
    doc.creationInfo.creators.append("Organization: %s" % d.getVar("SPDX_ORG"))
    doc.creationInfo.creators.append("Person: N/A ()")
    image = oe.spdx.SPDXPackage()
    image.name = d.getVar("PN")
-    image.versionInfo = d.getVar("PV")
+    image.versionInfo = d.getVar("SPDX_PACKAGE_VERSION")
    image.SPDXID = rootfs_spdxid
    image.supplier = d.getVar("SPDX_SUPPLIER")
    doc.packages.append(image)
-    for name in sorted(packages.keys()):
+    if packages:
-        if name not in providers:
+        for name in sorted(packages.keys()):
-            bb.fatal("Unable to find SPDX provider for '%s'" % name)
+            if name not in providers:
+                bb.fatal("Unable to find SPDX provider for '%s'" % name)
-        pkg_name, pkg_hashfn = providers[name]
-        pkg_spdx_path = oe.sbom.doc_find_by_hashfn(deploy_dir_spdx, package_archs, pkg_name, pkg_hashfn)
+            pkg_name, pkg_hashfn = providers[name]
-        if not pkg_spdx_path:
-            bb.fatal("No SPDX file found for package %s, %s" % (pkg_name, pkg_hashfn))
-        pkg_doc, pkg_doc_sha1 = oe.sbom.read_doc(pkg_spdx_path)
+            pkg_spdx_path = oe.sbom.doc_find_by_hashfn(deploy_dir_spdx, package_archs, pkg_name, pkg_hashfn)
+            if not pkg_spdx_path:
+                bb.fatal("No SPDX file found for package %s, %s" % (pkg_name, pkg_hashfn))
-        for p in pkg_doc.packages:
+            pkg_doc, pkg_doc_sha1 = oe.sbom.read_doc(pkg_spdx_path)
-            if p.name == name:
-                pkg_ref = oe.spdx.SPDXExternalDocumentRef()
-                pkg_ref.externalDocumentId = "DocumentRef-%s" % pkg_doc.name
-                pkg_ref.spdxDocument = pkg_doc.documentNamespace
-                pkg_ref.checksum.algorithm = "SHA1"
-                pkg_ref.checksum.checksumValue = pkg_doc_sha1
-                doc.externalDocumentRefs.append(pkg_ref)
+            for p in pkg_doc.packages:
-                doc.add_relationship(image, "CONTAINS", "%s:%s" % (pkg_ref.externalDocumentId, p.SPDXID))
+                if p.name == name:
-                break
+                    pkg_ref = oe.spdx.SPDXExternalDocumentRef()
-        else:
+                    pkg_ref.externalDocumentId = "DocumentRef-%s" % pkg_doc.name
-            bb.fatal("Unable to find package with name '%s' in SPDX file %s" % (name, pkg_spdx_path))
+                    pkg_ref.spdxDocument = pkg_doc.documentNamespace
+                    pkg_ref.checksum.algorithm = "SHA1"
+                    pkg_ref.checksum.checksumValue = pkg_doc_sha1
-        runtime_spdx_path = oe.sbom.doc_find_by_hashfn(deploy_dir_spdx, package_archs, "runtime-" + name, pkg_hashfn)
+                    doc.externalDocumentRefs.append(pkg_ref)
-        if not runtime_spdx_path:
+                    doc.add_relationship(image, "CONTAINS", "%s:%s" % (pkg_ref.externalDocumentId, p.SPDXID))
-            bb.fatal("No runtime SPDX document found for %s, %s" % (name, pkg_hashfn))
+                    break
+            else:
-        runtime_doc, runtime_doc_sha1 = oe.sbom.read_doc(runtime_spdx_path)
+                bb.fatal("Unable to find package with name '%s' in SPDX file %s" % (name, pkg_spdx_path))
-        runtime_ref = oe.spdx.SPDXExternalDocumentRef()
+            runtime_spdx_path = oe.sbom.doc_find_by_hashfn(deploy_dir_spdx, package_archs, "runtime-" + name, pkg_hashfn)
-        runtime_ref.externalDocumentId = "DocumentRef-%s" % runtime_doc.name
+            if not runtime_spdx_path:
-        runtime_ref.spdxDocument = runtime_doc.documentNamespace
+                bb.fatal("No runtime SPDX document found for %s, %s" % (name, pkg_hashfn))
-        runtime_ref.checksum.algorithm = "SHA1"
-        runtime_ref.checksum.checksumValue = runtime_doc_sha1
+            runtime_doc, runtime_doc_sha1 = oe.sbom.read_doc(runtime_spdx_path)
-        # "OTHER" isn't ideal here, but I can't find a relationship that makes sense
+            runtime_ref = oe.spdx.SPDXExternalDocumentRef()
-        doc.externalDocumentRefs.append(runtime_ref)
+            runtime_ref.externalDocumentId = "DocumentRef-%s" % runtime_doc.name
-        doc.add_relationship(
+            runtime_ref.spdxDocument = runtime_doc.documentNamespace
-            image,
+            runtime_ref.checksum.algorithm = "SHA1"
-            "OTHER",
+            runtime_ref.checksum.checksumValue = runtime_doc_sha1
-            "%s:%s" % (runtime_ref.externalDocumentId, runtime_doc.SPDXID),
-            comment="Runtime dependencies for %s" % name
+            # "OTHER" isn't ideal here, but I can't find a relationship that makes sense
-        )
+            doc.externalDocumentRefs.append(runtime_ref)
+            doc.add_relationship(
+                image,
+                "OTHER",
+                "%s:%s" % (runtime_ref.externalDocumentId, runtime_doc.SPDXID),
+                comment="Runtime dependencies for %s" % name
+            )
    bb.utils.mkdirhier(spdx_workdir)
    image_spdx_path = spdx_workdir / (rootfs_name + ".spdx.json")
@@ -1161,4 +967,4 @@ def combine_spdx(d, rootfs_name, rootfs_deploydir, rootfs_spdxid, packages, spdx
            tar.addfile(info, fileobj=index_str)
-combine_spdx[vardepsexclude] += "BB_NUMBER_THREADS SSTATE_ARCHS"
+combine_spdx[vardepsexclude] += "BB_NUMBER_THREADS SPDX_MULTILIB_SSTATE_ARCHS"
diff --git a/meta/classes/create-spdx-3.0.bbclass b/meta/classes/create-spdx-3.0.bbclass
new file mode 100644
index 0000000000..c0a5436ad6
--- /dev/null
+++ b/meta/classes/create-spdx-3.0.bbclass
@@ -0,0 +1,205 @@
+#
+# Copyright OpenEmbedded Contributors
+#
+# SPDX-License-Identifier: GPL-2.0-only
+#
+inherit spdx-common
+SPDX_VERSION = "3.0.1"
+# The list of SPDX profiles generated documents will conform to
+SPDX_PROFILES ?= "core build software simpleLicensing security"
+SPDX_INCLUDE_BUILD_VARIABLES ??= "0"
+SPDX_INCLUDE_BUILD_VARIABLES[doc] = "If set to '1', the bitbake variables for a \
+    recipe will be included in the Build object. This will most likely result \
+    in non-reproducible SPDX output"
+SPDX_INCLUDE_BITBAKE_PARENT_BUILD ??= "0"
+SPDX_INCLUDE_BITBAKE_PARENT_BUILD[doc] = "Report the parent invocation of bitbake \
+    for each Build object. This allows you to know who invoked bitbake to perform \
+    a build, but will result in non-reproducible SPDX output."
+SPDX_PACKAGE_ADDITIONAL_PURPOSE ?= ""
+SPDX_PACKAGE_ADDITIONAL_PURPOSE[doc] = "The list of additional purposes to assign to \
+    the generated packages for a recipe. The primary purpose is always `install`. \
+    Packages overrides are allowed to override the additional purposes for \
+    individual packages."
+SPDX_IMAGE_PURPOSE ?= "filesystemImage"
+SPDX_IMAGE_PURPOSE[doc] = "The list of purposes to assign to the generated images. \
+    The first listed item will be the Primary Purpose and all additional items will \
+    be added as additional purposes"
+SPDX_SDK_PURPOSE ?= "install"
+SPDX_SDK_PURPOSE[doc] = "The list of purposes to assign to the generate SDK installer. \
+    The first listed item will be the Primary Purpose and all additional items will \
+    be added as additional purposes"
+SPDX_INCLUDE_VEX ??= "current"
+SPDX_INCLUDE_VEX[doc] = "Controls what VEX information is in the output. Set to \
+    'none' to disable all VEX data. Set to 'current' to only include VEX data \
+    for vulnerabilities not already fixed in the upstream source code \
+    (recommended). Set  to 'all' to get all known historical vulnerabilities, \
+    including those already fixed upstream (warning: This can be large and \
+    slow)."
+SPDX_INCLUDE_TIMESTAMPS ?= "0"
+SPDX_INCLUDE_TIMESTAMPS[doc] = "Include time stamps in SPDX output. This is \
+    useful if you want to know when artifacts were produced and when builds \
+    occurred, but will result in non-reproducible SPDX output"
+SPDX_IMPORTS ??= ""
+SPDX_IMPORTS[doc] = "SPDX_IMPORTS is the base variable that describes how to \
+    reference external SPDX ids. Each import is defined as a key in this \
+    variable with a suffix to describe to as a suffix to look up more \
+    information about the import. Each key can have the following variables: \
+        SPDX_IMPORTS_<key>_spdxid: The Fully qualified SPDX ID of the object \
+        SPDX_IMPORTS_<key>_uri: The URI where the SPDX Document that contains \
+            the external object can be found. Optional but recommended \
+        SPDX_IMPORTS_<key>_hash_<hash>: The Checksum of the SPDX Document that \
+            contains the External ID. <hash> must be one the valid SPDX hashing \
+            algorithms, as described by the HashAlgorithm vocabulary in the\
+            SPDX 3 spec. Optional but recommended"
+# Agents
+#   Bitbake variables can be used to describe an SPDX Agent that may be used
+#   during the build. An Agent is specified using a set of variables which all
+#   start with some common base name:
+#
+#   <BASE>_name: The name of the Agent (required)
+#   <BASE>_type: The type of Agent. Must be one of "person", "organization",
+#       "software", or "agent" (the default if not specified)
+#   <BASE>_comment: The comment for the Agent (optional)
+#   <BASE>_id_<ID>: And External Identifier for the Agent. <ID> must be a valid
+#       ExternalIdentifierType from the SPDX 3 spec. Commonly, an E-mail address
+#       can be specified with <BASE>_id_email
+#
+#   Alternatively, an Agent can be an external reference by referencing a key
+#   in SPDX_IMPORTS like so:
+#
+#   <BASE>_import = "<key>"
+#
+#   Finally, the same agent described by another set of agent variables can be
+#   referenced by specifying the basename of the variable that should be
+#   referenced:
+#
+#   SPDX_PACKAGE_SUPPLIER_ref = "SPDX_AUTHORS_openembedded"
+SPDX_AUTHORS ??= "openembedded"
+SPDX_AUTHORS[doc] = "A space separated list of the document authors. Each item \
+    is used to name a base variable like SPDX_AUTHORS_<AUTHOR> that \
+    describes the author."
+SPDX_AUTHORS_openembedded_name = "OpenEmbedded"
+SPDX_AUTHORS_openembedded_type = "organization"
+SPDX_BUILD_HOST[doc] = "The base variable name to describe the build host on \
+    which a build is running. Must be an SPDX_IMPORTS key. Requires \
+    SPDX_INCLUDE_BITBAKE_PARENT_BUILD. NOTE: Setting this will result in \
+    non-reproducible SPDX output"
+SPDX_INVOKED_BY[doc] = "The base variable name to describe the Agent that \
+    invoked the build, which builds will link to if specified. Requires \
+    SPDX_INCLUDE_BITBAKE_PARENT_BUILD. NOTE: Setting this will likely result in \
+    non-reproducible SPDX output"
+SPDX_ON_BEHALF_OF[doc] = "The base variable name to describe the Agent on who's \
+    behalf the invoking Agent (SPDX_INVOKED_BY) is running the build. Requires \
+    SPDX_INCLUDE_BITBAKE_PARENT_BUILD. NOTE: Setting this will likely result in \
+    non-reproducible SPDX output"
+SPDX_PACKAGE_SUPPLIER[doc] = "The base variable name to describe the Agent who \
+    is supplying artifacts produced by the build"
+SPDX_PACKAGE_VERSION ??= "${PV}"
+SPDX_PACKAGE_VERSION[doc] = "The version of a package, software_packageVersion \
+    in software_Package"
+SPDX_PACKAGE_URL ??= ""
+SPDX_PACKAGE_URL[doc] = "Provides a place for the SPDX data creator to record \
+the package URL string (in accordance with the Package URL specification) for \
+a software Package."
+IMAGE_CLASSES:append = " create-spdx-image-3.0"
+SDK_CLASSES += "create-spdx-sdk-3.0"
+oe.spdx30_tasks.set_timestamp_now[vardepsexclude] = "SPDX_INCLUDE_TIMESTAMPS"
+oe.spdx30_tasks.get_package_sources_from_debug[vardepsexclude] += "STAGING_KERNEL_DIR"
+oe.spdx30_tasks.collect_dep_objsets[vardepsexclude] = "SPDX_MULTILIB_SSTATE_ARCHS"
+# SPDX library code makes heavy use of classes, which bitbake cannot easily
+# parse out dependencies. As such, the library code files that make use of
+# classes are explicitly added as file checksum dependencies.
+SPDX3_LIB_DEP_FILES = "\
+    ${COREBASE}/meta/lib/oe/sbom30.py:True \
+    ${COREBASE}/meta/lib/oe/spdx30.py:True \
+    "
+python do_create_spdx() {
+    import oe.spdx30_tasks
+    oe.spdx30_tasks.create_spdx(d)
+}
+do_create_spdx[vardeps] += "\
+    SPDX_INCLUDE_BITBAKE_PARENT_BUILD \
+    SPDX_PACKAGE_ADDITIONAL_PURPOSE \
+    SPDX_PROFILES \
+    SPDX_NAMESPACE_PREFIX \
+    SPDX_UUID_NAMESPACE \
+    "
+addtask do_create_spdx after \
+    do_collect_spdx_deps \
+    do_deploy_source_date_epoch \
+    do_populate_sysroot do_package do_packagedata \
+    before do_populate_sdk do_populate_sdk_ext do_build do_rm_work
+SSTATETASKS += "do_create_spdx"
+do_create_spdx[sstate-inputdirs] = "${SPDXDEPLOY}"
+do_create_spdx[sstate-outputdirs] = "${DEPLOY_DIR_SPDX}"
+do_create_spdx[file-checksums] += "${SPDX3_LIB_DEP_FILES}"
+python do_create_spdx_setscene () {
+    sstate_setscene(d)
+}
+addtask do_create_spdx_setscene
+do_create_spdx[dirs] = "${SPDXWORK}"
+do_create_spdx[cleandirs] = "${SPDXDEPLOY} ${SPDXWORK}"
+do_create_spdx[depends] += " \
+    ${PATCHDEPENDENCY} \
+    ${@create_spdx_source_deps(d)} \
+"
+python do_create_package_spdx() {
+    import oe.spdx30_tasks
+    oe.spdx30_tasks.create_package_spdx(d)
+}
+oe.spdx30_tasks.create_package_spdx[vardepsexclude] = "OVERRIDES"
+addtask do_create_package_spdx after do_create_spdx before do_build do_rm_work
+SSTATETASKS += "do_create_package_spdx"
+do_create_package_spdx[sstate-inputdirs] = "${SPDXRUNTIMEDEPLOY}"
+do_create_package_spdx[sstate-outputdirs] = "${DEPLOY_DIR_SPDX}"
+do_create_package_spdx[file-checksums] += "${SPDX3_LIB_DEP_FILES}"
+python do_create_package_spdx_setscene () {
+    sstate_setscene(d)
+}
+addtask do_create_package_spdx_setscene
+do_create_package_spdx[dirs] = "${SPDXRUNTIMEDEPLOY}"
+do_create_package_spdx[cleandirs] = "${SPDXRUNTIMEDEPLOY}"
+do_create_package_spdx[rdeptask] = "do_create_spdx"
+python spdx30_build_started_handler () {
+    import oe.spdx30_tasks
+    d = e.data.createCopy()
+    oe.spdx30_tasks.write_bitbake_spdx(d)
+}
+addhandler spdx30_build_started_handler
+spdx30_build_started_handler[eventmask] = "bb.event.BuildStarted"
diff --git a/meta/classes/create-spdx.bbclass b/meta/classes/create-spdx.bbclass
index 19c6c0ff0b..b604973ae0 100644
--- a/meta/classes/create-spdx.bbclass
+++ b/meta/classes/create-spdx.bbclass
@@ -5,4 +5,4 @@
 #
 # Include this class when you don't care what version of SPDX you get; it will
 # be updated to the latest stable version that is supported
-inherit create-spdx-2.2
+inherit create-spdx-3.0
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index 56ba8bceef..c63ebd56e1 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -31,25 +31,27 @@
 CVE_PRODUCT ??= "${BPN}"
 CVE_VERSION ??= "${PV}"
-CVE_CHECK_DB_DIR ?= "${DL_DIR}/CVE_CHECK"
+# Possible database sources: NVD1, NVD2, FKIE
-CVE_CHECK_DB_FILE ?= "${CVE_CHECK_DB_DIR}/nvdcve_2-1.db"
+NVD_DB_VERSION ?= "FKIE"
+# Use different file names for each database source, as they synchronize at different moments, so may be slightly different
+CVE_CHECK_DB_FILENAME ?= "${@'nvdcve_2-2.db' if d.getVar('NVD_DB_VERSION') == 'NVD2' else 'nvdcve_1-3.db' if d.getVar('NVD_DB_VERSION') == 'NVD1' else 'nvdfkie_1-1.db'}"
+CVE_CHECK_DB_FETCHER ?= "${@'cve-update-nvd2-native' if d.getVar('NVD_DB_VERSION') == 'NVD2' else 'cve-update-db-native'}"
+CVE_CHECK_DB_DIR ?= "${STAGING_DIR}/CVE_CHECK"
+CVE_CHECK_DB_FILE ?= "${CVE_CHECK_DB_DIR}/${CVE_CHECK_DB_FILENAME}"
 CVE_CHECK_DB_FILE_LOCK ?= "${CVE_CHECK_DB_FILE}.lock"
-CVE_CHECK_LOG ?= "${T}/cve.log"
-CVE_CHECK_TMP_FILE ?= "${TMPDIR}/cve_check"
 CVE_CHECK_SUMMARY_DIR ?= "${LOG_DIR}/cve"
 CVE_CHECK_SUMMARY_FILE_NAME ?= "cve-summary"
-CVE_CHECK_SUMMARY_FILE ?= "${CVE_CHECK_SUMMARY_DIR}/${CVE_CHECK_SUMMARY_FILE_NAME}"
 CVE_CHECK_SUMMARY_FILE_NAME_JSON = "cve-summary.json"
 CVE_CHECK_SUMMARY_INDEX_PATH = "${CVE_CHECK_SUMMARY_DIR}/cve-summary-index.txt"
 CVE_CHECK_LOG_JSON ?= "${T}/cve.json"
 CVE_CHECK_DIR ??= "${DEPLOY_DIR}/cve"
-CVE_CHECK_RECIPE_FILE ?= "${CVE_CHECK_DIR}/${PN}"
 CVE_CHECK_RECIPE_FILE_JSON ?= "${CVE_CHECK_DIR}/${PN}_cve.json"
-CVE_CHECK_MANIFEST ?= "${IMGDEPLOYDIR}/${IMAGE_NAME}.cve"
+CVE_CHECK_MANIFEST_JSON_SUFFIX ?= "json"
-CVE_CHECK_MANIFEST_JSON ?= "${IMGDEPLOYDIR}/${IMAGE_NAME}.json"
+CVE_CHECK_MANIFEST_JSON ?= "${IMGDEPLOYDIR}/${IMAGE_NAME}.${CVE_CHECK_MANIFEST_JSON_SUFFIX}"
 CVE_CHECK_COPY_FILES ??= "1"
 CVE_CHECK_CREATE_MANIFEST ??= "1"
@@ -58,9 +60,6 @@ CVE_CHECK_REPORT_PATCHED ??= "1"
 CVE_CHECK_SHOW_WARNINGS ??= "1"
-# Provide text output
-CVE_CHECK_FORMAT_TEXT ??= "1"
 # Provide JSON output
 CVE_CHECK_FORMAT_JSON ??= "1"
@@ -105,21 +104,13 @@ CVE_CHECK_LAYER_INCLUDELIST ??= ""
 CVE_VERSION_SUFFIX ??= ""
 python () {
-    # Fallback all CVEs from CVE_CHECK_IGNORE to CVE_STATUS
+    from oe.cve_check import extend_cve_status
-    cve_check_ignore = d.getVar("CVE_CHECK_IGNORE")
+    extend_cve_status(d)
-    if cve_check_ignore:
-        bb.warn("CVE_CHECK_IGNORE is deprecated in favor of CVE_STATUS")
+    nvd_database_type = d.getVar("NVD_DB_VERSION")
-        for cve in (d.getVar("CVE_CHECK_IGNORE") or "").split():
+    if nvd_database_type not in ("NVD1", "NVD2", "FKIE"):
-            d.setVarFlag("CVE_STATUS", cve, "ignored")
+        bb.erroronce("Malformed NVD_DB_VERSION, must be one of: NVD1, NVD2, FKIE. Defaulting to NVD2")
+        d.setVar("NVD_DB_VERSION", "NVD2")
-    # Process CVE_STATUS_GROUPS to set multiple statuses and optional detail or description at once
-    for cve_status_group in (d.getVar("CVE_STATUS_GROUPS") or "").split():
-        cve_group = d.getVar(cve_status_group)
-        if cve_group is not None:
-            for cve in cve_group.split():
-                d.setVarFlag("CVE_STATUS", cve, d.getVarFlag(cve_status_group, "status"))
-        else:
-            bb.warn("CVE_STATUS_GROUPS contains undefined variable %s" % cve_status_group)
 }
 def generate_json_report(d, out_path, link_path):
@@ -150,20 +141,11 @@ python cve_save_summary_handler () {
    import datetime
    from oe.cve_check import update_symlinks
-    cve_tmp_file = d.getVar("CVE_CHECK_TMP_FILE")
    cve_summary_name = d.getVar("CVE_CHECK_SUMMARY_FILE_NAME")
    cvelogpath = d.getVar("CVE_CHECK_SUMMARY_DIR")
    bb.utils.mkdirhier(cvelogpath)
    timestamp = datetime.datetime.now().strftime('%Y%m%d%H%M%S')
-    cve_summary_file = os.path.join(cvelogpath, "%s-%s.txt" % (cve_summary_name, timestamp))
-    if os.path.exists(cve_tmp_file):
-        shutil.copyfile(cve_tmp_file, cve_summary_file)
-        cvefile_link = os.path.join(cvelogpath, cve_summary_name)
-        update_symlinks(cve_summary_file, cvefile_link)
-        bb.plain("Complete CVE report summary created at: %s" % cvefile_link)
    if d.getVar("CVE_CHECK_FORMAT_JSON") == "1":
        json_summary_link_name = os.path.join(cvelogpath, d.getVar("CVE_CHECK_SUMMARY_FILE_NAME_JSON"))
@@ -187,24 +169,23 @@ python do_cve_check () {
                patched_cves = get_patched_cves(d)
            except FileNotFoundError:
                bb.fatal("Failure in searching patches")
-            ignored, patched, unpatched, status = check_cves(d, patched_cves)
+            cve_data, status = check_cves(d, patched_cves)
-            if patched or unpatched or (d.getVar("CVE_CHECK_COVERAGE") == "1" and status):
+            if len(cve_data) or (d.getVar("CVE_CHECK_COVERAGE") == "1" and status):
-                cve_data = get_cve_info(d, patched + unpatched + ignored)
+                get_cve_info(d, cve_data)
-                cve_write_data(d, patched, unpatched, ignored, cve_data, status)
+                cve_write_data(d, cve_data, status)
        else:
            bb.note("No CVE database found, skipping CVE check")
 }
 addtask cve_check before do_build
-do_cve_check[depends] = "cve-update-nvd2-native:do_fetch"
+do_cve_check[depends] = "${CVE_CHECK_DB_FETCHER}:do_unpack"
 do_cve_check[nostamp] = "1"
 python cve_check_cleanup () {
    """
    Delete the file used to gather all the CVE information.
    """
-    bb.utils.remove(e.data.getVar("CVE_CHECK_TMP_FILE"))
    bb.utils.remove(e.data.getVar("CVE_CHECK_SUMMARY_INDEX_PATH"))
 }
@@ -222,9 +203,6 @@ python cve_check_write_rootfs_manifest () {
    from oe.cve_check import cve_check_merge_jsons, update_symlinks
    if d.getVar("CVE_CHECK_COPY_FILES") == "1":
-        deploy_file = d.getVar("CVE_CHECK_RECIPE_FILE")
-        if os.path.exists(deploy_file):
-            bb.utils.remove(deploy_file)
        deploy_file_json = d.getVar("CVE_CHECK_RECIPE_FILE_JSON")
        if os.path.exists(deploy_file_json):
            bb.utils.remove(deploy_file_json)
@@ -244,19 +222,13 @@ python cve_check_write_rootfs_manifest () {
    json_data = {"version":"1", "package": []}
    text_data = ""
    enable_json = d.getVar("CVE_CHECK_FORMAT_JSON") == "1"
-    enable_text = d.getVar("CVE_CHECK_FORMAT_TEXT") == "1"
    save_pn = d.getVar("PN")
    for pkg in recipies:
-        # To be able to use the CVE_CHECK_RECIPE_FILE variable we have to evaluate
+        # To be able to use the CVE_CHECK_RECIPE_FILE_JSON variable we have to evaluate
        # it with the different PN names set each time.
        d.setVar("PN", pkg)
-        if enable_text:
-            pkgfilepath = d.getVar("CVE_CHECK_RECIPE_FILE")
-            if os.path.exists(pkgfilepath):
-                with open(pkgfilepath) as pfile:
-                    text_data += pfile.read()
        if enable_json:
            pkgfilepath = d.getVar("CVE_CHECK_RECIPE_FILE_JSON")
@@ -267,24 +239,17 @@ python cve_check_write_rootfs_manifest () {
    d.setVar("PN", save_pn)
-    if enable_text:
-        link_path = os.path.join(deploy_dir, "%s.cve" % link_name)
-        manifest_name = d.getVar("CVE_CHECK_MANIFEST")
-        with open(manifest_name, "w") as f:
-            f.write(text_data)
-        update_symlinks(manifest_name, link_path)
-        bb.plain("Image CVE report stored in: %s" % manifest_name)
    if enable_json:
-        link_path = os.path.join(deploy_dir, "%s.json" % link_name)
+        manifest_name_suffix = d.getVar("CVE_CHECK_MANIFEST_JSON_SUFFIX")
        manifest_name = d.getVar("CVE_CHECK_MANIFEST_JSON")
        with open(manifest_name, "w") as f:
            json.dump(json_data, f, indent=2)
-        update_symlinks(manifest_name, link_path)
+        if link_name:
+            link_path = os.path.join(deploy_dir, "%s.%s" % (link_name, manifest_name_suffix))
+            update_symlinks(manifest_name, link_path)
        bb.plain("Image CVE JSON report stored in: %s" % manifest_name)
 }
@@ -292,7 +257,51 @@ ROOTFS_POSTPROCESS_COMMAND:prepend = "${@'cve_check_write_rootfs_manifest ' if d
 do_rootfs[recrdeptask] += "${@'do_cve_check' if d.getVar('CVE_CHECK_CREATE_MANIFEST') == '1' else ''}"
 do_populate_sdk[recrdeptask] += "${@'do_cve_check' if d.getVar('CVE_CHECK_CREATE_MANIFEST') == '1' else ''}"
-def check_cves(d, patched_cves):
+def cve_is_ignored(d, cve_data, cve):
+    if cve not in cve_data:
+        return False
+    if cve_data[cve]['abbrev-status'] == "Ignored":
+        return True
+    return False
+def cve_is_patched(d, cve_data, cve):
+    if cve not in cve_data:
+        return False
+    if cve_data[cve]['abbrev-status'] == "Patched":
+        return True
+    return False
+def cve_update(d, cve_data, cve, entry):
+    # If no entry, just add it
+    if cve not in cve_data:
+        cve_data[cve] = entry
+        return
+    # If we are updating, there might be change in the status
+    bb.debug(1, "Trying CVE entry update for %s from %s to %s" % (cve, cve_data[cve]['abbrev-status'], entry['abbrev-status']))
+    if cve_data[cve]['abbrev-status'] == "Unknown":
+        cve_data[cve] = entry
+        return
+    if cve_data[cve]['abbrev-status'] == entry['abbrev-status']:
+        return
+    # Update like in {'abbrev-status': 'Patched', 'status': 'version-not-in-range'} to {'abbrev-status': 'Unpatched', 'status': 'version-in-range'}
+    if entry['abbrev-status'] == "Unpatched" and cve_data[cve]['abbrev-status'] == "Patched":
+        if entry['status'] == "version-in-range" and cve_data[cve]['status'] == "version-not-in-range":
+            # New result from the scan, vulnerable
+            cve_data[cve] = entry
+            bb.debug(1, "CVE entry %s update from Patched to Unpatched from the scan result" % cve)
+            return
+    if entry['abbrev-status'] == "Patched" and cve_data[cve]['abbrev-status'] == "Unpatched":
+        if entry['status'] == "version-not-in-range" and cve_data[cve]['status'] == "version-in-range":
+            # Range does not match the scan, but we already have a vulnerable match, ignore
+            bb.debug(1, "CVE entry %s update from Patched to Unpatched from the scan result - not applying" % cve)
+            return
+    # If we have an "Ignored", it has a priority
+    if cve_data[cve]['abbrev-status'] == "Ignored":
+        bb.debug(1, "CVE %s not updating because Ignored" % cve)
+        return
+    bb.warn("Unhandled CVE entry update for %s from %s to %s" % (cve, cve_data[cve], entry))
+def check_cves(d, cve_data):
    """
    Connect to the NVD database and find unpatched cves.
    """
@@ -302,28 +311,19 @@ def check_cves(d, patched_cves):
    real_pv = d.getVar("PV")
    suffix = d.getVar("CVE_VERSION_SUFFIX")
-    cves_unpatched = []
-    cves_ignored = []
    cves_status = []
    cves_in_recipe = False
    # CVE_PRODUCT can contain more than one product (eg. curl/libcurl)
    products = d.getVar("CVE_PRODUCT").split()
    # If this has been unset then we're not scanning for CVEs here (for example, image recipes)
    if not products:
-        return ([], [], [], [])
+        return ([], [])
    pv = d.getVar("CVE_VERSION").split("+git")[0]
    # If the recipe has been skipped/ignored we return empty lists
    if pn in d.getVar("CVE_CHECK_SKIP_RECIPE").split():
        bb.note("Recipe has been skipped by cve-check")
-        return ([], [], [], [])
+        return ([], [])
-    # Convert CVE_STATUS into ignored CVEs and check validity
-    cve_ignore = []
-    for cve in (d.getVarFlags("CVE_STATUS") or {}):
-        decoded_status, _, _ = decode_cve_status(d, cve)
-        if decoded_status == "Ignored":
-            cve_ignore.append(cve)
    import sqlite3
    db_file = d.expand("file:${CVE_CHECK_DB_FILE}?mode=ro")
@@ -342,19 +342,19 @@ def check_cves(d, patched_cves):
        for cverow in cve_cursor:
            cve = cverow[0]
-            if cve in cve_ignore:
-                bb.note("%s-%s ignores %s" % (product, pv, cve))
-                cves_ignored.append(cve)
-                continue
-            elif cve in patched_cves:
-                bb.note("%s has been patched" % (cve))
-                continue
            # Write status once only for each product
            if not cves_in_product:
                cves_status.append([product, True])
                cves_in_product = True
                cves_in_recipe = True
+            if cve_is_ignored(d, cve_data, cve):
+                bb.note("%s-%s ignores %s" % (product, pv, cve))
+                continue
+            elif cve_is_patched(d, cve_data, cve):
+                bb.note("%s has been patched" % (cve))
+                continue
            vulnerable = False
            ignored = False
@@ -362,7 +362,7 @@ def check_cves(d, patched_cves):
            for row in product_cursor:
                (_, _, _, version_start, operator_start, version_end, operator_end) = row
                #bb.debug(2, "Evaluating row " + str(row))
-                if cve in cve_ignore:
+                if cve_is_ignored(d, cve_data, cve):
                    ignored = True
                version_start = convert_cve_version(version_start)
@@ -401,16 +401,16 @@ def check_cves(d, patched_cves):
                if vulnerable:
                    if ignored:
                        bb.note("%s is ignored in %s-%s" % (cve, pn, real_pv))
-                        cves_ignored.append(cve)
+                        cve_update(d, cve_data, cve, {"abbrev-status": "Ignored"})
                    else:
                        bb.note("%s-%s is vulnerable to %s" % (pn, real_pv, cve))
-                        cves_unpatched.append(cve)
+                        cve_update(d, cve_data, cve, {"abbrev-status": "Unpatched", "status": "version-in-range"})
                    break
            product_cursor.close()
            if not vulnerable:
                bb.note("%s-%s is not vulnerable to %s" % (pn, real_pv, cve))
-                patched_cves.add(cve)
+                cve_update(d, cve_data, cve, {"abbrev-status": "Patched", "status": "version-not-in-range"})
        cve_cursor.close()
        if not cves_in_product:
@@ -418,123 +418,44 @@ def check_cves(d, patched_cves):
            cves_status.append([product, False])
    conn.close()
-    diff_ignore = list(set(cve_ignore) - set(cves_ignored))
-    if diff_ignore:
-        oe.qa.handle_error("cve_status_not_in_db", "Found CVE (%s) with CVE_STATUS set that are not found in database for this component" % " ".join(diff_ignore), d)
    if not cves_in_recipe:
        bb.note("No CVE records for products in recipe %s" % (pn))
-    return (list(cves_ignored), list(patched_cves), cves_unpatched, cves_status)
+    if d.getVar("CVE_CHECK_SHOW_WARNINGS") == "1":
+        unpatched_cves = [cve for cve in cve_data if cve_data[cve]["abbrev-status"] == "Unpatched"]
+        if unpatched_cves:
+            bb.warn("Found unpatched CVE (%s)" % " ".join(unpatched_cves))
+    return (cve_data, cves_status)
-def get_cve_info(d, cves):
+def get_cve_info(d, cve_data):
    """
    Get CVE information from the database.
    """
    import sqlite3
-    cve_data = {}
    db_file = d.expand("file:${CVE_CHECK_DB_FILE}?mode=ro")
    conn = sqlite3.connect(db_file, uri=True)
-    for cve in cves:
+    for cve in cve_data:
        cursor = conn.execute("SELECT * FROM NVD WHERE ID IS ?", (cve,))
        for row in cursor:
-            cve_data[row[0]] = {}
+            # The CVE itdelf has been added already
-            cve_data[row[0]]["summary"] = row[1]
+            if row[0] not in cve_data:
-            cve_data[row[0]]["scorev2"] = row[2]
+                bb.note("CVE record %s not present" % row[0])
-            cve_data[row[0]]["scorev3"] = row[3]
+                continue
-            cve_data[row[0]]["modified"] = row[4]
+            #cve_data[row[0]] = {}
-            cve_data[row[0]]["vector"] = row[5]
+            cve_data[row[0]]["NVD-summary"] = row[1]
-            cve_data[row[0]]["vectorString"] = row[6]
+            cve_data[row[0]]["NVD-scorev2"] = row[2]
+            cve_data[row[0]]["NVD-scorev3"] = row[3]
+            cve_data[row[0]]["NVD-scorev4"] = row[4]
+            cve_data[row[0]]["NVD-modified"] = row[5]
+            cve_data[row[0]]["NVD-vector"] = row[6]
+            cve_data[row[0]]["NVD-vectorString"] = row[7]
        cursor.close()
    conn.close()
-    return cve_data
-def cve_write_data_text(d, patched, unpatched, ignored, cve_data):
-    """
-    Write CVE information in WORKDIR; and to CVE_CHECK_DIR, and
-    CVE manifest if enabled.
-    """
-    from oe.cve_check import decode_cve_status
-    cve_file = d.getVar("CVE_CHECK_LOG")
-    fdir_name  = d.getVar("FILE_DIRNAME")
-    layer = fdir_name.split("/")[-3]
-    include_layers = d.getVar("CVE_CHECK_LAYER_INCLUDELIST").split()
-    exclude_layers = d.getVar("CVE_CHECK_LAYER_EXCLUDELIST").split()
-    report_all = d.getVar("CVE_CHECK_REPORT_PATCHED") == "1"
-    if exclude_layers and layer in exclude_layers:
-        return
-    if include_layers and layer not in include_layers:
-        return
-    # Early exit, the text format does not report packages without CVEs
-    if not patched+unpatched+ignored:
-        return
-    nvd_link = "https://nvd.nist.gov/vuln/detail/"
-    write_string = ""
-    unpatched_cves = []
-    bb.utils.mkdirhier(os.path.dirname(cve_file))
-    for cve in sorted(cve_data):
-        is_patched = cve in patched
-        is_ignored = cve in ignored
-        status = "Unpatched"
-        if (is_patched or is_ignored) and not report_all:
-            continue
-        if is_ignored:
-            status = "Ignored"
-        elif is_patched:
-            status = "Patched"
-        else:
-            # default value of status is Unpatched
-            unpatched_cves.append(cve)
-        write_string += "LAYER: %s\n" % layer
-        write_string += "PACKAGE NAME: %s\n" % d.getVar("PN")
-        write_string += "PACKAGE VERSION: %s%s\n" % (d.getVar("EXTENDPE"), d.getVar("PV"))
-        write_string += "CVE: %s\n" % cve
-        write_string += "CVE STATUS: %s\n" % status
-        _, detail, description = decode_cve_status(d, cve)
-        if detail:
-            write_string += "CVE DETAIL: %s\n" % detail
-        if description:
-            write_string += "CVE DESCRIPTION: %s\n" % description
-        write_string += "CVE SUMMARY: %s\n" % cve_data[cve]["summary"]
-        write_string += "CVSS v2 BASE SCORE: %s\n" % cve_data[cve]["scorev2"]
-        write_string += "CVSS v3 BASE SCORE: %s\n" % cve_data[cve]["scorev3"]
-        write_string += "VECTOR: %s\n" % cve_data[cve]["vector"]
-        write_string += "VECTORSTRING: %s\n" % cve_data[cve]["vectorString"]
-        write_string += "MORE INFORMATION: %s%s\n\n" % (nvd_link, cve)
-    if unpatched_cves and d.getVar("CVE_CHECK_SHOW_WARNINGS") == "1":
-        bb.warn("Found unpatched CVE (%s), for more information check %s" % (" ".join(unpatched_cves),cve_file))
-    with open(cve_file, "w") as f:
-        bb.note("Writing file %s with CVE information" % cve_file)
-        f.write(write_string)
-    if d.getVar("CVE_CHECK_COPY_FILES") == "1":
-        deploy_file = d.getVar("CVE_CHECK_RECIPE_FILE")
-        bb.utils.mkdirhier(os.path.dirname(deploy_file))
-        with open(deploy_file, "w") as f:
-            f.write(write_string)
-    if d.getVar("CVE_CHECK_CREATE_MANIFEST") == "1":
-        cvelogpath = d.getVar("CVE_CHECK_SUMMARY_DIR")
-        bb.utils.mkdirhier(cvelogpath)
-        with open(d.getVar("CVE_CHECK_TMP_FILE"), "a") as f:
-            f.write("%s" % write_string)
 def cve_check_write_json_output(d, output, direct_file, deploy_file, manifest_file):
    """
@@ -566,13 +487,11 @@ def cve_check_write_json_output(d, output, direct_file, deploy_file, manifest_fi
        with open(index_path, "a+") as f:
            f.write("%s\n" % fragment_path)
-def cve_write_data_json(d, patched, unpatched, ignored, cve_data, cve_status):
+def cve_write_data_json(d, cve_data, cve_status):
    """
    Prepare CVE data for the JSON format, then write it.
    """
-    from oe.cve_check import decode_cve_status
    output = {"version":"1", "package": []}
    nvd_link = "https://nvd.nist.gov/vuln/detail/"
@@ -590,8 +509,6 @@ def cve_write_data_json(d, patched, unpatched, ignored, cve_data, cve_status):
    if include_layers and layer not in include_layers:
        return
-    unpatched_cves = []
    product_data = []
    for s in cve_status:
        p = {"product": s[0], "cvesInRecord": "Yes"}
@@ -606,39 +523,33 @@ def cve_write_data_json(d, patched, unpatched, ignored, cve_data, cve_status):
        "version" : package_version,
        "products": product_data
    }
    cve_list = []
    for cve in sorted(cve_data):
-        is_patched = cve in patched
+        if not report_all and (cve_data[cve]["abbrev-status"] == "Patched" or cve_data[cve]["abbrev-status"] == "Ignored"):
-        is_ignored = cve in ignored
-        status = "Unpatched"
-        if (is_patched or is_ignored) and not report_all:
            continue
-        if is_ignored:
-            status = "Ignored"
-        elif is_patched:
-            status = "Patched"
-        else:
-            # default value of status is Unpatched
-            unpatched_cves.append(cve)
        issue_link = "%s%s" % (nvd_link, cve)
        cve_item = {
            "id" : cve,
-            "summary" : cve_data[cve]["summary"],
+            "status" : cve_data[cve]["abbrev-status"],
-            "scorev2" : cve_data[cve]["scorev2"],
+            "link": issue_link,
-            "scorev3" : cve_data[cve]["scorev3"],
-            "vector" : cve_data[cve]["vector"],
-            "vectorString" : cve_data[cve]["vectorString"],
-            "status" : status,
-            "link": issue_link
        }
-        _, detail, description = decode_cve_status(d, cve)
+        if 'NVD-summary' in cve_data[cve]:
-        if detail:
+            cve_item["summary"] = cve_data[cve]["NVD-summary"]
-            cve_item["detail"] = detail
+            cve_item["scorev2"] = cve_data[cve]["NVD-scorev2"]
-        if description:
+            cve_item["scorev3"] = cve_data[cve]["NVD-scorev3"]
-            cve_item["description"] = description
+            cve_item["scorev4"] = cve_data[cve]["NVD-scorev4"]
+            cve_item["modified"] = cve_data[cve]["NVD-modified"]
+            cve_item["vector"] = cve_data[cve]["NVD-vector"]
+            cve_item["vectorString"] = cve_data[cve]["NVD-vectorString"]
+        if 'status' in cve_data[cve]:
+            cve_item["detail"] = cve_data[cve]["status"]
+        if 'justification' in cve_data[cve]:
+            cve_item["description"] = cve_data[cve]["justification"]
+        if 'resource' in cve_data[cve]:
+            cve_item["patch-file"] = cve_data[cve]["resource"]
        cve_list.append(cve_item)
    package_data["issue"] = cve_list
@@ -650,12 +561,10 @@ def cve_write_data_json(d, patched, unpatched, ignored, cve_data, cve_status):
    cve_check_write_json_output(d, output, direct_file, deploy_file, manifest_file)
-def cve_write_data(d, patched, unpatched, ignored, cve_data, status):
+def cve_write_data(d, cve_data, status):
    """
    Write CVE data in each enabled format.
    """
-    if d.getVar("CVE_CHECK_FORMAT_TEXT") == "1":
-        cve_write_data_text(d, patched, unpatched, ignored, cve_data)
    if d.getVar("CVE_CHECK_FORMAT_JSON") == "1":
-        cve_write_data_json(d, patched, unpatched, ignored, cve_data, status)
+        cve_write_data_json(d, cve_data, status)
diff --git a/meta/classes/devtool-source.bbclass b/meta/classes/devtool-source.bbclass
index 3e24800dcb..2e0070486b 100644
--- a/meta/classes/devtool-source.bbclass
+++ b/meta/classes/devtool-source.bbclass
@@ -92,9 +92,9 @@ python devtool_post_unpack() {
            for fname in local_files:
                f.write('%s\n' % fname)
-    if os.path.dirname(srcsubdir) != workdir:
+    if srcsubdir.startswith(unpackdir) and os.path.dirname(srcsubdir) != unpackdir:
        # Handle if S is set to a subdirectory of the source
-        srcsubdir = os.path.join(workdir, os.path.relpath(srcsubdir, workdir).split(os.sep)[0])
+        srcsubdir = os.path.normpath(os.path.join(unpackdir, os.path.relpath(srcsubdir, unpackdir).split(os.sep)[0]))
    scriptutils.git_convert_standalone_clone(srcsubdir)
@@ -179,9 +179,9 @@ python devtool_post_patch() {
                # (otherwise we'd likely be left with identical commits that have different hashes)
                bb.process.run('git rebase devtool-no-overrides', cwd=srcsubdir)
        bb.process.run('git checkout %s' % devbranch, cwd=srcsubdir)
-    bb.process.run('git tag -f devtool-patched', cwd=srcsubdir)
+    bb.process.run('git tag -f --no-sign devtool-patched', cwd=srcsubdir)
    if os.path.exists(os.path.join(srcsubdir, '.gitmodules')):
-        bb.process.run('git submodule foreach --recursive  "git tag -f devtool-patched"', cwd=srcsubdir)
+        bb.process.run('git submodule foreach --recursive  "git tag -f --no-sign devtool-patched"', cwd=srcsubdir)
 }
diff --git a/meta/classes/go-vendor.bbclass b/meta/classes/go-vendor.bbclass
index 1bbb99ac79..6ec6178add 100644
--- a/meta/classes/go-vendor.bbclass
+++ b/meta/classes/go-vendor.bbclass
@@ -70,7 +70,7 @@ python do_go_vendor() {
    if os.path.exists(vendor_dir):
        # Nothing to do except re-establish link to actual vendor folder
        if not os.path.exists(linkname):
-            os.symlink(vendor_dir, linkname)
+            oe.path.relsymlink(vendor_dir, linkname)
        return
    bb.utils.mkdirhier(vendor_dir)
@@ -156,7 +156,7 @@ python do_go_vendor() {
                shutil.copy2(rootdirLicese, subdirLicense)
    # Copy vendor manifest
-    modules_txt_src = os.path.join(d.getVar('WORKDIR'), "modules.txt")
+    modules_txt_src = os.path.join(d.getVar('UNPACKDIR'), "modules.txt")
    bb.debug(1, "cp %s --> %s" % (modules_txt_src, vendor_dir))
    shutil.copy2(modules_txt_src, vendor_dir)
@@ -201,11 +201,15 @@ python do_go_vendor() {
    for vendored_name, replaced_path in replaced_paths.items():
        symlink_target = os.path.join(source_dir, *['src', go_import, replaced_path])
        symlink_name = os.path.join(vendor_dir, vendored_name)
+        relative_symlink_target = os.path.relpath(symlink_target, os.path.dirname(symlink_name))
        bb.debug(1, "vendored name %s, symlink name %s" % (vendored_name, symlink_name))
-        os.symlink(symlink_target, symlink_name)
+        os.makedirs(os.path.dirname(symlink_name), exist_ok=True)
+        os.symlink(relative_symlink_target, symlink_name)
    # Create a symlink to the actual directory
-    os.symlink(vendor_dir, linkname)
+    relative_vendor_dir = os.path.relpath(vendor_dir, os.path.dirname(linkname))
+    os.symlink(relative_vendor_dir, linkname)
 }
 addtask go_vendor before do_patch after do_unpack
diff --git a/meta/classes/icecc.bbclass b/meta/classes/icecc.bbclass
deleted file mode 100644
index 159cae20f8..0000000000
--- a/meta/classes/icecc.bbclass
+++ /dev/null
@@ -1,461 +0,0 @@
-#
-# Copyright OpenEmbedded Contributors
-#
-# SPDX-License-Identifier: MIT
-#
-# Icecream distributed compiling support
-#
-# Stages directories with symlinks from gcc/g++ to icecc, for both
-# native and cross compilers. Depending on each configure or compile,
-# the directories are added at the head of the PATH list and ICECC_CXX
-# and ICECC_CC are set.
-#
-# For the cross compiler, creates a tar.gz of our toolchain and sets
-# ICECC_VERSION accordingly.
-#
-# The class now handles all 3 different compile 'stages' (i.e native ,cross-kernel and target) creating the
-# necessary environment tar.gz file to be used by the remote machines.
-# It also supports meta-toolchain generation.
-#
-# If ICECC_PATH is not set in local.conf then the class will try to locate it using 'bb.utils.which'
-# but nothing is sure. ;)
-#
-# If ICECC_ENV_EXEC is set in local.conf, then it should point to the icecc-create-env script provided by the user
-# or the default one provided by icecc-create-env_0.1.bb will be used.
-# (NOTE that this is a modified version of the needed script and *not the one that comes with icecream*).
-#
-# User can specify if specific recipes or recipes inheriting specific classes should not use icecc to distribute
-# compile jobs to remote machines, but handle them locally by defining ICECC_CLASS_DISABLE and ICECC_RECIPE_DISABLE
-# with the appropriate values in local.conf. In addition the user can force to enable icecc for recipes
-# which set an empty PARALLEL_MAKE variable by defining ICECC_RECIPE_ENABLE.
-#
-#########################################################################################
-# Error checking is kept to minimum so double check any parameters you pass to the class
-#########################################################################################
-BB_BASEHASH_IGNORE_VARS += "ICECC_PARALLEL_MAKE ICECC_DISABLED ICECC_RECIPE_DISABLE \
-    ICECC_CLASS_DISABLE ICECC_RECIPE_ENABLE ICECC_PATH ICECC_ENV_EXEC \
-    ICECC_CARET_WORKAROUND ICECC_CFLAGS ICECC_ENV_VERSION \
-    ICECC_DEBUG ICECC_LOGFILE ICECC_REPEAT_RATE ICECC_PREFERRED_HOST \
-    ICECC_CLANG_REMOTE_CPP ICECC_IGNORE_UNVERIFIED ICECC_TEST_SOCKET \
-    ICECC_ENV_DEBUG ICECC_REMOTE_CPP \
-    "
-ICECC_ENV_EXEC ?= "${STAGING_BINDIR_NATIVE}/icecc-create-env"
-HOSTTOOLS_NONFATAL += "icecc patchelf"
-# This version can be incremented when changes are made to the environment that
-# invalidate the version on the compile nodes. Changing it will cause a new
-# environment to be created.
-#
-# A useful thing to do for testing icecream changes locally is to add a
-# subversion in local.conf:
-#  ICECC_ENV_VERSION:append = "-my-ver-1"
-ICECC_ENV_VERSION = "2"
-# Default to disabling the caret workaround, If set to "1" in local.conf, icecc
-# will locally recompile any files that have warnings, which can adversely
-# affect performance.
-#
-# See: https://github.com/icecc/icecream/issues/190
-export ICECC_CARET_WORKAROUND ??= "0"
-export ICECC_REMOTE_CPP ??= "0"
-ICECC_CFLAGS = ""
-CFLAGS += "${ICECC_CFLAGS}"
-CXXFLAGS += "${ICECC_CFLAGS}"
-# Debug flags when generating environments
-ICECC_ENV_DEBUG ??= ""
-# Disable recipe list contains a list of recipes that can not distribute
-# compile tasks for one reason or the other. When adding a new entry, please
-# document why (how it failed) so that we can re-evaluate it later e.g. when
-# there is a new version.
-#
-# libgcc-initial - fails with CPP sanity check error if host sysroot contains
-#                  cross gcc built for another target tune/variant.
-# pixman - prng_state: TLS reference mismatches non-TLS reference, possibly due to
-#          pragma omp threadprivate(prng_state).
-# systemtap - _HelperSDT.c undefs macros and uses the identifiers in macros emitting
-#             inline assembly.
-# target-sdk-provides-dummy - ${HOST_PREFIX} is empty which triggers the "NULL
-#                             prefix" error.
-ICECC_RECIPE_DISABLE += "\
-    libgcc-initial \
-    pixman \
-    systemtap \
-    target-sdk-provides-dummy \
-    "
-# Classes that should not use icecc. When adding a new entry, please
-# document why (how it failed) so that we can re-evaluate it later.
-#
-# image - images aren't compiling, but the testing framework for images captures
-#         PARALLEL_MAKE as part of the test environment. Many tests won't use
-#         icecream, but leaving the high level of parallelism can cause them to
-#         consume an unnecessary amount of resources.
-ICECC_CLASS_DISABLE += "\
-    image \
-    "
-def get_icecc_dep(d):
-    # INHIBIT_DEFAULT_DEPS doesn't apply to the patch command. Whether or not
-    # we need that built is the responsibility of the patch function / class, not
-    # the application.
-    if not d.getVar('INHIBIT_DEFAULT_DEPS'):
-        return "icecc-create-env-native"
-    return ""
-DEPENDS:prepend = "${@get_icecc_dep(d)} "
-get_cross_kernel_cc[vardepsexclude] += "KERNEL_CC"
-def get_cross_kernel_cc(bb,d):
-    if not icecc_is_kernel(bb, d):
-        return None
-    # evaluate the expression by the shell if necessary
-    kernel_cc = d.getVar('KERNEL_CC')
-    if '`' in kernel_cc or '$(' in kernel_cc:
-        import subprocess
-        kernel_cc = subprocess.check_output("echo %s" % kernel_cc, shell=True).decode("utf-8")[:-1]
-    kernel_cc = kernel_cc.replace('ccache', '').strip()
-    kernel_cc = kernel_cc.split(' ')[0]
-    kernel_cc = kernel_cc.strip()
-    return kernel_cc
-def get_icecc(d):
-    return d.getVar('ICECC_PATH') or bb.utils.which(os.getenv("PATH"), "icecc")
-def use_icecc(bb,d):
-    if d.getVar('ICECC_DISABLED') == "1":
-        # don't even try it, when explicitly disabled
-        return "no"
-    # allarch recipes don't use compiler
-    if icecc_is_allarch(bb, d):
-        return "no"
-    if icecc_is_cross_canadian(bb, d):
-        return "no"
-    pn = d.getVar('PN')
-    bpn = d.getVar('BPN')
-    # Enable/disable checks are made against BPN, because there is a good
-    # chance that if icecc should be skipped for a recipe, it should be skipped
-    # for all the variants of that recipe. PN is still checked in case a user
-    # specified a more specific recipe.
-    check_pn = set([pn, bpn])
-    class_disable = (d.getVar('ICECC_CLASS_DISABLE') or "").split()
-    for bbclass in class_disable:
-        if bb.data.inherits_class(bbclass, d):
-            bb.debug(1, "%s: bbclass %s found in disable, disable icecc" % (pn, bbclass))
-            return "no"
-    disabled_recipes = (d.getVar('ICECC_RECIPE_DISABLE') or "").split()
-    enabled_recipes = (d.getVar('ICECC_RECIPE_ENABLE') or "").split()
-    if check_pn & set(disabled_recipes):
-        bb.debug(1, "%s: found in disable list, disable icecc" % pn)
-        return "no"
-    if check_pn & set(enabled_recipes):
-        bb.debug(1, "%s: found in enabled recipes list, enable icecc" % pn)
-        return "yes"
-    if d.getVar('PARALLEL_MAKE') == "":
-        bb.debug(1, "%s: has empty PARALLEL_MAKE, disable icecc" % pn)
-        return "no"
-    return "yes"
-def icecc_is_allarch(bb, d):
-    return d.getVar("PACKAGE_ARCH") == "all"
-def icecc_is_kernel(bb, d):
-    return \
-        bb.data.inherits_class("kernel", d);
-def icecc_is_native(bb, d):
-    return \
-        bb.data.inherits_class("cross", d) or \
-        bb.data.inherits_class("native", d);
-def icecc_is_cross_canadian(bb, d):
-    return bb.data.inherits_class("cross-canadian", d)
-def icecc_dir(bb, d):
-    return d.expand('${TMPDIR}/work-shared/ice')
-# Don't pollute allarch signatures with TARGET_FPU
-icecc_version[vardepsexclude] += "TARGET_FPU"
-def icecc_version(bb, d):
-    if use_icecc(bb, d) == "no":
-        return ""
-    parallel = d.getVar('ICECC_PARALLEL_MAKE') or ""
-    if not d.getVar('PARALLEL_MAKE') == "" and parallel:
-        d.setVar("PARALLEL_MAKE", parallel)
-    # Disable showing the caret in the GCC compiler output if the workaround is
-    # disabled
-    if d.getVar('ICECC_CARET_WORKAROUND') == '0':
-        d.setVar('ICECC_CFLAGS', '-fno-diagnostics-show-caret')
-    if icecc_is_native(bb, d):
-        archive_name = "local-host-env"
-    elif d.expand('${HOST_PREFIX}') == "":
-        bb.fatal(d.expand("${PN}"), " NULL prefix")
-    else:
-        prefix = d.expand('${HOST_PREFIX}' )
-        distro = d.expand('${DISTRO}')
-        target_sys = d.expand('${TARGET_SYS}')
-        float = d.getVar('TARGET_FPU') or "hard"
-        archive_name = prefix + distro + "-"        + target_sys + "-" + float
-        if icecc_is_kernel(bb, d):
-            archive_name += "-kernel"
-    import socket
-    ice_dir = icecc_dir(bb, d)
-    tar_file = os.path.join(ice_dir, "{archive}-{version}-@VERSION@-{hostname}.tar.gz".format(
-        archive=archive_name,
-        version=d.getVar('ICECC_ENV_VERSION'),
-        hostname=socket.gethostname()
-        ))
-    return tar_file
-def icecc_path(bb,d):
-    if use_icecc(bb, d) == "no":
-        # don't create unnecessary directories when icecc is disabled
-        return
-    staging = os.path.join(d.expand('${STAGING_BINDIR}'), "ice")
-    if icecc_is_kernel(bb, d):
-        staging += "-kernel"
-    return staging
-def icecc_get_external_tool(bb, d, tool):
-    external_toolchain_bindir = d.expand('${EXTERNAL_TOOLCHAIN}${bindir_cross}')
-    target_prefix = d.expand('${TARGET_PREFIX}')
-    return os.path.join(external_toolchain_bindir, '%s%s' % (target_prefix, tool))
-def icecc_get_tool_link(tool, d):
-    import subprocess
-    try:
-        return subprocess.check_output("readlink -f %s" % tool, shell=True).decode("utf-8")[:-1]
-    except subprocess.CalledProcessError as e:
-        bb.note("icecc: one of the tools probably disappeared during recipe parsing, cmd readlink -f %s returned %d:\n%s" % (tool, e.returncode, e.output.decode("utf-8")))
-        return tool
-def icecc_get_path_tool(tool, d):
-    # This is a little ugly, but we want to make sure we add an actual
-    # compiler to the toolchain, not ccache. Some distros (e.g. Fedora)
-    # have ccache enabled by default using symlinks in PATH, meaning ccache
-    # would be found first when looking for the compiler.
-    paths = os.getenv("PATH").split(':')
-    while True:
-        p, hist = bb.utils.which(':'.join(paths), tool, history=True)
-        if not p or os.path.basename(icecc_get_tool_link(p, d)) != 'ccache':
-            return p
-        paths = paths[len(hist):]
-    return ""
-# Don't pollute native signatures with target TUNE_PKGARCH through STAGING_BINDIR_TOOLCHAIN
-icecc_get_tool[vardepsexclude] += "STAGING_BINDIR_TOOLCHAIN"
-def icecc_get_tool(bb, d, tool):
-    if icecc_is_native(bb, d):
-        return icecc_get_path_tool(tool, d)
-    elif icecc_is_kernel(bb, d):
-        return icecc_get_path_tool(get_cross_kernel_cc(bb, d), d)
-    else:
-        ice_dir = d.expand('${STAGING_BINDIR_TOOLCHAIN}')
-        target_sys = d.expand('${TARGET_SYS}')
-        for p in ice_dir.split(':'):
-            tool_bin = os.path.join(p, "%s-%s" % (target_sys, tool))
-            if os.path.isfile(tool_bin):
-                return tool_bin
-        external_tool_bin = icecc_get_external_tool(bb, d, tool)
-        if os.path.isfile(external_tool_bin):
-            return external_tool_bin
-        return ""
-def icecc_get_and_check_tool(bb, d, tool):
-    # Check that g++ or gcc is not a symbolic link to icecc binary in
-    # PATH or icecc-create-env script will silently create an invalid
-    # compiler environment package.
-    t = icecc_get_tool(bb, d, tool)
-    if t:
-        link_path = icecc_get_tool_link(t, d)
-        if link_path == get_icecc(d):
-            bb.error("%s is a symlink to %s in PATH and this prevents icecc from working" % (t, link_path))
-            return ""
-        else:
-            return t
-    else:
-        return t
-wait_for_file() {
-    local TIME_ELAPSED=0
-    local FILE_TO_TEST=$1
-    local TIMEOUT=$2
-    until [ -f "$FILE_TO_TEST" ]
-    do
-        TIME_ELAPSED=$(expr $TIME_ELAPSED + 1)
-        if [ $TIME_ELAPSED -gt $TIMEOUT ]
-        then
-            return 1
-        fi
-        sleep 1
-    done
-}
-def set_icecc_env():
-    # dummy python version of set_icecc_env
-    return
-set_icecc_env[vardepsexclude] += "KERNEL_CC"
-set_icecc_env() {
-    if [ "${@use_icecc(bb, d)}" = "no" ]
-    then
-        return
-    fi
-    ICECC_VERSION="${@icecc_version(bb, d)}"
-    if [ "x${ICECC_VERSION}" = "x" ]
-    then
-        bbwarn "Cannot use icecc: could not get ICECC_VERSION"
-        return
-    fi
-    ICE_PATH="${@icecc_path(bb, d)}"
-    if [ "x${ICE_PATH}" = "x" ]
-    then
-        bbwarn "Cannot use icecc: could not get ICE_PATH"
-        return
-    fi
-    ICECC_BIN="${@get_icecc(d)}"
-    if [ -z "${ICECC_BIN}" ]; then
-        bbwarn "Cannot use icecc: icecc binary not found"
-        return
-    fi
-    if [ -z "$(which patchelf patchelf-uninative)" ]; then
-        bbwarn "Cannot use icecc: patchelf not found"
-        return
-    fi
-    ICECC_CC="${@icecc_get_and_check_tool(bb, d, "gcc")}"
-    ICECC_CXX="${@icecc_get_and_check_tool(bb, d, "g++")}"
-    # cannot use icecc_get_and_check_tool here because it assumes as without target_sys prefix
-    ICECC_WHICH_AS="${@bb.utils.which(os.getenv('PATH'), 'as')}"
-    if [ ! -x "${ICECC_CC}" -o ! -x "${ICECC_CXX}" ]
-    then
-        bbnote "Cannot use icecc: could not get ICECC_CC or ICECC_CXX"
-        return
-    fi
-    ICE_VERSION="$($ICECC_CC -dumpversion)"
-    ICECC_VERSION=$(echo ${ICECC_VERSION} | sed -e "s/@VERSION@/$ICE_VERSION/g")
-    if [ ! -x "${ICECC_ENV_EXEC}" ]
-    then
-        bbwarn "Cannot use icecc: invalid ICECC_ENV_EXEC"
-        return
-    fi
-    # Create symlinks to icecc and wrapper-scripts in the recipe-sysroot directory
-    mkdir -p $ICE_PATH/symlinks
-    if [ -n "${KERNEL_CC}" ]; then
-        compilers="${@get_cross_kernel_cc(bb,d)}"
-    else
-        compilers="${HOST_PREFIX}gcc ${HOST_PREFIX}g++"
-    fi
-    for compiler in $compilers; do
-        ln -sf $ICECC_BIN $ICE_PATH/symlinks/$compiler
-        cat <<-__EOF__ > $ICE_PATH/$compiler
-                #!/bin/sh -e
-                export ICECC_VERSION=$ICECC_VERSION
-                export ICECC_CC=$ICECC_CC
-                export ICECC_CXX=$ICECC_CXX
-                $ICE_PATH/symlinks/$compiler "\$@"
-                __EOF__
-        chmod 775 $ICE_PATH/$compiler
-    done
-    ICECC_AS="$(${ICECC_CC} -print-prog-name=as)"
-    # for target recipes should return something like:
-    # /OE/tmp-eglibc/sysroots/x86_64-linux/usr/libexec/arm920tt-oe-linux-gnueabi/gcc/arm-oe-linux-gnueabi/4.8.2/as
-    # and just "as" for native, if it returns "as" in current directory (for whatever reason) use "as" from PATH
-    if [ "$(dirname "${ICECC_AS}")" = "." ]
-    then
-        ICECC_AS="${ICECC_WHICH_AS}"
-    fi
-    if [ ! -f "${ICECC_VERSION}.done" ]
-    then
-        mkdir -p "$(dirname "${ICECC_VERSION}")"
-        # the ICECC_VERSION generation step must be locked by a mutex
-        # in order to prevent race conditions
-        if flock -n "${ICECC_VERSION}.lock" \
-            ${ICECC_ENV_EXEC} ${ICECC_ENV_DEBUG} "${ICECC_CC}" "${ICECC_CXX}" "${ICECC_AS}" "${ICECC_VERSION}"
-        then
-            touch "${ICECC_VERSION}.done"
-        elif ! wait_for_file "${ICECC_VERSION}.done" 30
-        then
-            # locking failed so wait for ${ICECC_VERSION}.done to appear
-            bbwarn "Timeout waiting for ${ICECC_VERSION}.done"
-            return
-        fi
-    fi
-    # Don't let ccache find the icecream compiler links that have been created, otherwise
-    # it can end up invoking icecream recursively.
-    export CCACHE_PATH="$PATH"
-    export CCACHE_DISABLE="1"
-    export PATH="$ICE_PATH:$PATH"
-    bbnote "Using icecc path: $ICE_PATH"
-    bbnote "Using icecc tarball: $ICECC_VERSION"
-}
-do_configure:prepend() {
-    set_icecc_env
-}
-do_compile:prepend() {
-    set_icecc_env
-}
-do_compile_kernelmodules:prepend() {
-    set_icecc_env
-}
-do_install:prepend() {
-    set_icecc_env
-}
-# Icecream is not (currently) supported in the extensible SDK
-ICECC_SDK_HOST_TASK = "nativesdk-icecc-toolchain"
-ICECC_SDK_HOST_TASK:task-populate-sdk-ext = ""
-# Don't include icecream in uninative tarball
-ICECC_SDK_HOST_TASK:pn-uninative-tarball = ""
-# Add the toolchain scripts to the SDK
-TOOLCHAIN_HOST_TASK:append = " ${ICECC_SDK_HOST_TASK}"
-python () {
-    if d.getVar('ICECC_DISABLED') != "1":
-        for task in ['do_configure', 'do_compile', 'do_compile_kernelmodules', 'do_install']:
-                d.setVarFlag(task, 'network', '1')
-}
diff --git a/meta/classes/migrate_localcount.bbclass b/meta/classes/migrate_localcount.bbclass
deleted file mode 100644
index 1d00c110e2..0000000000
--- a/meta/classes/migrate_localcount.bbclass
+++ /dev/null
@@ -1,52 +0,0 @@
-#
-# Copyright OpenEmbedded Contributors
-#
-# SPDX-License-Identifier: MIT
-#
-PRSERV_DUMPDIR ??= "${LOG_DIR}/db"
-LOCALCOUNT_DUMPFILE ??= "${PRSERV_DUMPDIR}/prserv-localcount-exports.inc"
-python migrate_localcount_handler () {
-    import bb.event
-    if not e.data:
-        return
-    pv = e.data.getVar('PV')
-    if not 'AUTOINC' in pv:
-        return
-    localcounts = bb.persist_data.persist('BB_URI_LOCALCOUNT', e.data)
-    pn = e.data.getVar('PN')
-    revs = localcounts.get_by_pattern('%%-%s_rev' % pn)
-    counts = localcounts.get_by_pattern('%%-%s_count' % pn)
-    if not revs or not counts:
-        return
-    if len(revs) != len(counts):
-        bb.warn("The number of revs and localcounts don't match in %s" % pn)
-        return
-    version = e.data.getVar('PRAUTOINX')
-    srcrev = bb.fetch2.get_srcrev(e.data)
-    base_ver = 'AUTOINC-%s' % version[:version.find(srcrev)]
-    pkgarch = e.data.getVar('PACKAGE_ARCH')
-    value = max(int(count) for count in counts)
-    if len(revs) == 1:
-        if srcrev != ('AUTOINC+%s' % revs[0]):
-            value += 1
-    else:
-        value += 1
-    bb.utils.mkdirhier(e.data.getVar('PRSERV_DUMPDIR'))
-    df = e.data.getVar('LOCALCOUNT_DUMPFILE')
-    flock = bb.utils.lockfile("%s.lock" % df)
-    with open(df, 'a') as fd:
-        fd.write('PRAUTO$%s$%s$%s = "%s"\n' %
-                (base_ver, pkgarch, srcrev, str(value)))
-    bb.utils.unlockfile(flock)
-}
-addhandler migrate_localcount_handler
-migrate_localcount_handler[eventmask] = "bb.event.RecipeParsed"
diff --git a/meta/classes/multilib.bbclass b/meta/classes/multilib.bbclass
index b6c09969b1..b959bbd93c 100644
--- a/meta/classes/multilib.bbclass
+++ b/meta/classes/multilib.bbclass
@@ -5,30 +5,31 @@
 #
 python multilib_virtclass_handler () {
-    cls = e.data.getVar("BBEXTENDCURR")
+    cls = d.getVar("BBEXTENDCURR")
-    variant = e.data.getVar("BBEXTENDVARIANT")
+    variant = d.getVar("BBEXTENDVARIANT")
    if cls != "multilib" or not variant:
        return
-    localdata = bb.data.createCopy(e.data)
+    localdata = bb.data.createCopy(d)
    localdata.delVar('TMPDIR')
-    e.data.setVar('STAGING_KERNEL_DIR', localdata.getVar('STAGING_KERNEL_DIR'))
+    d.setVar('STAGING_KERNEL_DIR', localdata.getVar('STAGING_KERNEL_DIR'))
    # There should only be one kernel in multilib configs
    # We also skip multilib setup for module packages.
-    provides = (e.data.getVar("PROVIDES") or "").split()
+    provides = (d.getVar("PROVIDES") or "").split()
    non_ml_recipes = d.getVar('NON_MULTILIB_RECIPES').split()
-    bpn = e.data.getVar("BPN")
+    bpn = d.getVar("BPN")
-    if "virtual/kernel" in provides or \
+    if ("virtual/kernel" in provides
-            bb.data.inherits_class('module-base', e.data) or \
+            or bb.data.inherits_class('module-base', d)
-            bpn in non_ml_recipes:
+            or bb.data.inherits_class('kernel-fit-image', d)
+            or bpn in non_ml_recipes):
        raise bb.parse.SkipRecipe("We shouldn't have multilib variants for %s" % bpn)
-    save_var_name=e.data.getVar("MULTILIB_SAVE_VARNAME") or ""
+    save_var_name = d.getVar("MULTILIB_SAVE_VARNAME") or ""
    for name in save_var_name.split():
-        val=e.data.getVar(name)
+        val = d.getVar(name)
        if val:
-            e.data.setVar(name + "_MULTILIB_ORIGINAL", val)
+            d.setVar(name + "_MULTILIB_ORIGINAL", val)
    # We nearly don't need this but dependencies on NON_MULTILIB_RECIPES don't work without it
    d.setVar("SSTATE_ARCHS_TUNEPKG", "${@all_multilib_tune_values(d, 'TUNE_PKGARCH')}")
@@ -36,66 +37,67 @@ python multilib_virtclass_handler () {
    overrides = e.data.getVar("OVERRIDES", False)
    pn = e.data.getVar("PN", False)
    overrides = overrides.replace("pn-${PN}", "pn-${PN}:pn-" + pn)
-    e.data.setVar("OVERRIDES", overrides)
+    d.setVar("OVERRIDES", overrides)
-    if bb.data.inherits_class('image', e.data):
+    if bb.data.inherits_class('image', d):
-        e.data.setVar("MLPREFIX", variant + "-")
+        d.setVar("MLPREFIX", variant + "-")
-        e.data.setVar("PN", variant + "-" + e.data.getVar("PN", False))
+        d.setVar("PN", variant + "-" + d.getVar("PN", False))
-        e.data.setVar('SDKTARGETSYSROOT', e.data.getVar('SDKTARGETSYSROOT'))
+        d.setVar('SDKTARGETSYSROOT', d.getVar('SDKTARGETSYSROOT'))
        override = ":virtclass-multilib-" + variant
-        e.data.setVar("OVERRIDES", e.data.getVar("OVERRIDES", False) + override)
+        d.setVar("OVERRIDES", d.getVar("OVERRIDES", False) + override)
-        target_vendor = e.data.getVar("TARGET_VENDOR:" + "virtclass-multilib-" + variant, False)
+        target_vendor = d.getVar("TARGET_VENDOR:" + "virtclass-multilib-" + variant, False)
        if target_vendor:
-            e.data.setVar("TARGET_VENDOR", target_vendor)
+            d.setVar("TARGET_VENDOR", target_vendor)
        return
-    if bb.data.inherits_class('cross-canadian', e.data):
+    if bb.data.inherits_class('cross-canadian', d):
        # Multilib cross-candian should use the same nativesdk sysroot without MLPREFIX
-        e.data.setVar("RECIPE_SYSROOT", "${WORKDIR}/recipe-sysroot")
+        d.setVar("RECIPE_SYSROOT", "${WORKDIR}/recipe-sysroot")
-        e.data.setVar("STAGING_DIR_TARGET", "${WORKDIR}/recipe-sysroot")
+        d.setVar("STAGING_DIR_TARGET", "${WORKDIR}/recipe-sysroot")
-        e.data.setVar("STAGING_DIR_HOST", "${WORKDIR}/recipe-sysroot")
+        d.setVar("STAGING_DIR_HOST", "${WORKDIR}/recipe-sysroot")
-        e.data.setVar("RECIPE_SYSROOT_MANIFEST_SUBDIR", "nativesdk-" + variant)
+        d.setVar("RECIPE_SYSROOT_MANIFEST_SUBDIR", "nativesdk-" + variant)
-        e.data.setVar("MLPREFIX", variant + "-")
+        d.setVar("MLPREFIX", variant + "-")
        override = ":virtclass-multilib-" + variant
-        e.data.setVar("OVERRIDES", e.data.getVar("OVERRIDES", False) + override)
+        d.setVar("OVERRIDES", d.getVar("OVERRIDES", False) + override)
        return
-    if bb.data.inherits_class('native', e.data):
+    if bb.data.inherits_class('native', d):
        raise bb.parse.SkipRecipe("We can't extend native recipes")
-    if bb.data.inherits_class('nativesdk', e.data) or bb.data.inherits_class('crosssdk', e.data):
+    if bb.data.inherits_class('nativesdk', d) or bb.data.inherits_class('crosssdk', d):
        raise bb.parse.SkipRecipe("We can't extend nativesdk recipes")
-    if bb.data.inherits_class('allarch', e.data) and not d.getVar('MULTILIB_VARIANTS') \
+    if (bb.data.inherits_class('allarch', d)
-        and not bb.data.inherits_class('packagegroup', e.data):
+            and not d.getVar('MULTILIB_VARIANTS')
+            and not bb.data.inherits_class('packagegroup', d)):
        raise bb.parse.SkipRecipe("Don't extend allarch recipes which are not packagegroups")
    # Expand this since this won't work correctly once we set a multilib into place
-    e.data.setVar("ALL_MULTILIB_PACKAGE_ARCHS", e.data.getVar("ALL_MULTILIB_PACKAGE_ARCHS"))
+    d.setVar("ALL_MULTILIB_PACKAGE_ARCHS", d.getVar("ALL_MULTILIB_PACKAGE_ARCHS"))
 
    override = ":virtclass-multilib-" + variant
-    skip_msg = e.data.getVarFlag('SKIP_RECIPE', e.data.getVar('PN'))
+    skip_msg = d.getVarFlag('SKIP_RECIPE', d.getVar('PN'))
    if skip_msg:
-        pn_new = variant + "-" + e.data.getVar('PN')
+        pn_new = variant + "-" + d.getVar('PN')
-        if not e.data.getVarFlag('SKIP_RECIPE', pn_new):
+        if not d.getVarFlag('SKIP_RECIPE', pn_new):
-            e.data.setVarFlag('SKIP_RECIPE', pn_new, skip_msg)
+            d.setVarFlag('SKIP_RECIPE', pn_new, skip_msg)
-    e.data.setVar("MLPREFIX", variant + "-")
+    d.setVar("MLPREFIX", variant + "-")
-    e.data.setVar("PN", variant + "-" + e.data.getVar("PN", False))
+    d.setVar("PN", variant + "-" + d.getVar("PN", False))
-    e.data.setVar("OVERRIDES", e.data.getVar("OVERRIDES", False) + override)
+    d.setVar("OVERRIDES", d.getVar("OVERRIDES", False) + override)
    # Expand INCOMPATIBLE_LICENSE_EXCEPTIONS with multilib prefix
-    pkgs = e.data.getVar("INCOMPATIBLE_LICENSE_EXCEPTIONS")
+    pkgs = d.getVar("INCOMPATIBLE_LICENSE_EXCEPTIONS")
    if pkgs:
        for pkg in pkgs.split():
            pkgs += " " + variant + "-" + pkg
-        e.data.setVar("INCOMPATIBLE_LICENSE_EXCEPTIONS", pkgs)
+        d.setVar("INCOMPATIBLE_LICENSE_EXCEPTIONS", pkgs)
    # DEFAULTTUNE can change TARGET_ARCH override so expand this now before update_data
-    newtune = e.data.getVar("DEFAULTTUNE:" + "virtclass-multilib-" + variant, False)
+    newtune = d.getVar("DEFAULTTUNE:" + "virtclass-multilib-" + variant, False)
    if newtune:
-        e.data.setVar("DEFAULTTUNE", newtune)
+        d.setVar("DEFAULTTUNE", newtune)
 }
 addhandler multilib_virtclass_handler
diff --git a/meta/classes/multilib_global.bbclass b/meta/classes/multilib_global.bbclass
index 6095d278dd..c1d6de100c 100644
--- a/meta/classes/multilib_global.bbclass
+++ b/meta/classes/multilib_global.bbclass
@@ -155,6 +155,12 @@ def preferred_ml_updates(d):
            extramp.append(translate_provide(pref, p))
    d.setVar("BB_MULTI_PROVIDER_ALLOWED", " ".join(mp + extramp))
+    virtprovs = d.getVar("BB_RECIPE_VIRTUAL_PROVIDERS").split()
+    for p in virtprovs.copy():
+        for pref in prefixes:
+            virtprovs.append(translate_provide(pref, p))
+    d.setVar("BB_RECIPE_VIRTUAL_PROVIDERS", " ".join(virtprovs))
    abisafe = (d.getVar("SIGGEN_EXCLUDERECIPES_ABISAFE") or "").split()
    extras = []
    for p in prefixes:
@@ -171,24 +177,26 @@ def preferred_ml_updates(d):
    d.appendVar("SIGGEN_EXCLUDE_SAFE_RECIPE_DEPS", " " + " ".join(extras))
 python multilib_virtclass_handler_vendor () {
-    if isinstance(e, bb.event.ConfigParsed):
+    for v in d.getVar("MULTILIB_VARIANTS").split():
-        for v in e.data.getVar("MULTILIB_VARIANTS").split():
+        if d.getVar("TARGET_VENDOR:virtclass-multilib-" + v, False) is None:
-            if e.data.getVar("TARGET_VENDOR:virtclass-multilib-" + v, False) is None:
+            d.setVar("TARGET_VENDOR:virtclass-multilib-" + v, d.getVar("TARGET_VENDOR", False) + "ml" + v)
-                e.data.setVar("TARGET_VENDOR:virtclass-multilib-" + v, e.data.getVar("TARGET_VENDOR", False) + "ml" + v)
+    preferred_ml_updates(d)
-        preferred_ml_updates(e.data)
 }
 addhandler multilib_virtclass_handler_vendor
 multilib_virtclass_handler_vendor[eventmask] = "bb.event.ConfigParsed"
 python multilib_virtclass_handler_global () {
-    variant = e.data.getVar("BBEXTENDVARIANT")
+    variant = d.getVar("BBEXTENDVARIANT")
    if variant:
        return
+    if bb.data.inherits_class('native', d):
+        return
    non_ml_recipes = d.getVar('NON_MULTILIB_RECIPES').split()
-    if bb.data.inherits_class('kernel', e.data) or \
+    if bb.data.inherits_class('kernel', d) or \
-            bb.data.inherits_class('module-base', e.data) or \
+            bb.data.inherits_class('module-base', d) or \
            d.getVar('BPN') in non_ml_recipes:
            # We need to avoid expanding KERNEL_VERSION which we can do by deleting it
@@ -197,7 +205,7 @@ python multilib_virtclass_handler_global () {
            localdata.delVar("KERNEL_VERSION")
            localdata.delVar("KERNEL_VERSION_PKG_NAME")
-            variants = (e.data.getVar("MULTILIB_VARIANTS") or "").split()
+            variants = (d.getVar("MULTILIB_VARIANTS") or "").split()
            import oe.classextend
            clsextends = []
@@ -208,22 +216,22 @@ python multilib_virtclass_handler_global () {
            origprovs = provs = localdata.getVar("PROVIDES") or ""
            for clsextend in clsextends:
                provs = provs + " " + clsextend.map_variable("PROVIDES", setvar=False)
-            e.data.setVar("PROVIDES", provs)
+            d.setVar("PROVIDES", provs)
            # Process RPROVIDES
            origrprovs = rprovs = localdata.getVar("RPROVIDES") or ""
            for clsextend in clsextends:
                rprovs = rprovs + " " + clsextend.map_variable("RPROVIDES", setvar=False)
            if rprovs.strip():
-                e.data.setVar("RPROVIDES", rprovs)
+                d.setVar("RPROVIDES", rprovs)
            # Process RPROVIDES:${PN}...
-            for pkg in (e.data.getVar("PACKAGES") or "").split():
+            for pkg in (d.getVar("PACKAGES") or "").split():
                origrprovs = rprovs = localdata.getVar("RPROVIDES:%s" % pkg) or ""
                for clsextend in clsextends:
                    rprovs = rprovs + " " + clsextend.map_variable("RPROVIDES:%s" % pkg, setvar=False)
                    rprovs = rprovs + " " + clsextend.extname + "-" + pkg
-                e.data.setVar("RPROVIDES:%s" % pkg, rprovs)
+                d.setVar("RPROVIDES:%s" % pkg, rprovs)
 }
 addhandler multilib_virtclass_handler_global
diff --git a/meta/classes/report-error.bbclass b/meta/classes/report-error.bbclass
index 1452513a66..2b880c8b0c 100644
--- a/meta/classes/report-error.bbclass
+++ b/meta/classes/report-error.bbclass
@@ -81,6 +81,7 @@ python errorreport_handler () {
            task = e.task
            taskdata={}
            log = e.data.getVar('BB_LOGFILE')
+            taskdata['recipe'] = e.data.expand("${PN}")
            taskdata['package'] = e.data.expand("${PF}")
            taskdata['task'] = task
            if log:
diff --git a/meta/classes/sign_rpm.bbclass b/meta/classes/sign_rpm.bbclass
index ee0c4808fa..b5b21b0db1 100644
--- a/meta/classes/sign_rpm.bbclass
+++ b/meta/classes/sign_rpm.bbclass
@@ -33,7 +33,7 @@
 inherit sanity
-RPM_SIGN_PACKAGES='1'
+RPM_SIGN_PACKAGES = '1'
 RPM_SIGN_FILES ?= '0'
 RPM_GPG_BACKEND ?= 'local'
 # SHA-256 is used by default
diff --git a/meta/classes/siteconfig.bbclass b/meta/classes/siteconfig.bbclass
deleted file mode 100644
index 953cafd285..0000000000
--- a/meta/classes/siteconfig.bbclass
+++ /dev/null
@@ -1,39 +0,0 @@
-#
-# Copyright OpenEmbedded Contributors
-#
-# SPDX-License-Identifier: MIT
-#
-python siteconfig_do_siteconfig () {
-    shared_state = sstate_state_fromvars(d)
-    if shared_state['task'] != 'populate_sysroot':
-        return
-    if not os.path.isdir(os.path.join(d.getVar('FILE_DIRNAME'), 'site_config')):
-        bb.debug(1, "No site_config directory, skipping do_siteconfig")
-        return
-    sstate_install(shared_state, d)
-    bb.build.exec_func('do_siteconfig_gencache', d)
-    sstate_clean(shared_state, d)
-}
-EXTRASITECONFIG ?= ""
-siteconfig_do_siteconfig_gencache () {
-        mkdir -p ${WORKDIR}/site_config_${MACHINE}
-        gen-site-config ${FILE_DIRNAME}/site_config \
-                >${WORKDIR}/site_config_${MACHINE}/configure.ac
-        cd ${WORKDIR}/site_config_${MACHINE}
-        autoconf
-        rm -f ${BPN}_cache
-        CONFIG_SITE="" ${EXTRASITECONFIG} ./configure ${CONFIGUREOPTS} --cache-file ${BPN}_cache
-        sed -n -e "/ac_cv_c_bigendian/p" -e "/ac_cv_sizeof_/p" \
-                -e "/ac_cv_type_/p" -e "/ac_cv_header_/p" -e "/ac_cv_func_/p" \
-                < ${BPN}_cache > ${BPN}_config
-        mkdir -p ${SYSROOT_DESTDIR}${datadir}/${TARGET_SYS}_config_site.d
-        cp ${BPN}_config ${SYSROOT_DESTDIR}${datadir}/${TARGET_SYS}_config_site.d
-}
-do_populate_sysroot[sstate-interceptfuncs] += "do_siteconfig "
-EXPORT_FUNCTIONS do_siteconfig do_siteconfig_gencache
diff --git a/meta/classes/spdx-common.bbclass b/meta/classes/spdx-common.bbclass
new file mode 100644
index 0000000000..ca0416d1c7
--- /dev/null
+++ b/meta/classes/spdx-common.bbclass
@@ -0,0 +1,107 @@
+#
+# Copyright OpenEmbedded Contributors
+#
+# SPDX-License-Identifier: GPL-2.0-only
+#
+SPDX_VERSION ??= ""
+DEPLOY_DIR_SPDX ??= "${DEPLOY_DIR}/spdx/${SPDX_VERSION}"
+# The product name that the CVE database uses.  Defaults to BPN, but may need to
+# be overriden per recipe (for example tiff.bb sets CVE_PRODUCT=libtiff).
+CVE_PRODUCT ??= "${BPN}"
+CVE_VERSION ??= "${PV}"
+SPDXDIR ??= "${WORKDIR}/spdx/${SPDX_VERSION}"
+SPDXDEPLOY = "${SPDXDIR}/deploy"
+SPDXWORK = "${SPDXDIR}/work"
+SPDXIMAGEWORK = "${SPDXDIR}/image-work"
+SPDXSDKWORK = "${SPDXDIR}/sdk-work"
+SPDXSDKEXTWORK = "${SPDXDIR}/sdk-ext-work"
+SPDXDEPS = "${SPDXDIR}/deps.json"
+SPDX_TOOL_NAME ??= "oe-spdx-creator"
+SPDX_TOOL_VERSION ??= "1.0"
+SPDXRUNTIMEDEPLOY = "${SPDXDIR}/runtime-deploy"
+SPDX_INCLUDE_SOURCES ??= "0"
+SPDX_INCLUDE_COMPILED_SOURCES ??= "0"
+SPDX_UUID_NAMESPACE ??= "sbom.openembedded.org"
+SPDX_NAMESPACE_PREFIX ??= "http://spdx.org/spdxdocs"
+SPDX_PRETTY ??= "0"
+SPDX_LICENSES ??= "${COREBASE}/meta/files/spdx-licenses.json"
+SPDX_CUSTOM_ANNOTATION_VARS ??= ""
+SPDX_MULTILIB_SSTATE_ARCHS ??= "${SSTATE_ARCHS}"
+python () {
+    from oe.cve_check import extend_cve_status
+    extend_cve_status(d)
+    if d.getVar("SPDX_INCLUDE_COMPILED_SOURCES") == "1":
+        d.setVar("SPDX_INCLUDE_SOURCES", "1")
+}
+def create_spdx_source_deps(d):
+    import oe.spdx_common
+    deps = []
+    if d.getVar("SPDX_INCLUDE_SOURCES") == "1":
+        pn = d.getVar('PN')
+        # do_unpack is a hack for now; we only need it to get the
+        # dependencies do_unpack already has so we can extract the source
+        # ourselves
+        if oe.spdx_common.has_task(d, "do_unpack"):
+            deps.append("%s:do_unpack" % pn)
+        if oe.spdx_common.is_work_shared_spdx(d) and \
+           oe.spdx_common.process_sources(d):
+            # For kernel source code
+            if oe.spdx_common.has_task(d, "do_shared_workdir"):
+                deps.append("%s:do_shared_workdir" % pn)
+            elif d.getVar('S') == d.getVar('STAGING_KERNEL_DIR'):
+                deps.append("virtual/kernel:do_shared_workdir")
+            # For gcc-source-${PV} source code
+            if oe.spdx_common.has_task(d, "do_preconfigure"):
+                deps.append("%s:do_preconfigure" % pn)
+            elif oe.spdx_common.has_task(d, "do_patch"):
+                deps.append("%s:do_patch" % pn)
+            # For gcc-cross-x86_64 source code
+            elif oe.spdx_common.has_task(d, "do_configure"):
+                deps.append("%s:do_configure" % pn)
+    return " ".join(deps)
+python do_collect_spdx_deps() {
+    # This task calculates the build time dependencies of the recipe, and is
+    # required because while a task can deptask on itself, those dependencies
+    # do not show up in BB_TASKDEPDATA. To work around that, this task does the
+    # deptask on do_create_spdx and writes out the dependencies it finds, then
+    # do_create_spdx reads in the found dependencies when writing the actual
+    # SPDX document
+    import json
+    import oe.spdx_common
+    from pathlib import Path
+    spdx_deps_file = Path(d.getVar("SPDXDEPS"))
+    deps = oe.spdx_common.collect_direct_deps(d, "do_create_spdx")
+    with spdx_deps_file.open("w") as f:
+        json.dump(deps, f)
+}
+# NOTE: depending on do_unpack is a hack that is necessary to get it's dependencies for archive the source
+addtask do_collect_spdx_deps after do_unpack
+do_collect_spdx_deps[depends] += "${PATCHDEPENDENCY}"
+do_collect_spdx_deps[deptask] = "do_create_spdx"
+do_collect_spdx_deps[dirs] = "${SPDXDIR}"
+oe.spdx_common.collect_direct_deps[vardepsexclude] += "BB_TASKDEPDATA"
+oe.spdx_common.collect_direct_deps[vardeps] += "DEPENDS"
+oe.spdx_common.collect_package_providers[vardepsexclude] += "BB_TASKDEPDATA"
+oe.spdx_common.get_patched_src[vardepsexclude] += "STAGING_KERNEL_DIR"
diff --git a/meta/classes/toaster.bbclass b/meta/classes/toaster.bbclass
index 03c4f3a930..af7c457808 100644
--- a/meta/classes/toaster.bbclass
+++ b/meta/classes/toaster.bbclass
@@ -84,7 +84,7 @@ python toaster_layerinfo_dumpdata() {
    llayerinfo = {}
-    for layer in { l for l in bblayers.strip().split(" ") if len(l) }:
+    for layer in { l for l in bblayers.strip().split() if len(l) }:
        llayerinfo[layer] = _get_layer_dict(layer)
diff --git a/meta/classes/toolchain/clang.bbclass b/meta/classes/toolchain/clang.bbclass
new file mode 100644
index 0000000000..d7b8a3657c
--- /dev/null
+++ b/meta/classes/toolchain/clang.bbclass
@@ -0,0 +1,37 @@
+CC = "${CCACHE}${HOST_PREFIX}clang ${HOST_CC_ARCH}${TOOLCHAIN_OPTIONS}"
+CXX = "${CCACHE}${HOST_PREFIX}clang++ ${HOST_CC_ARCH}${TOOLCHAIN_OPTIONS}"
+FC = "${HOST_PREFIX}gfortran ${HOST_CC_ARCH}${TOOLCHAIN_OPTIONS}"
+CPP = "${CCACHE}${HOST_PREFIX}clang ${HOST_CC_ARCH}${TOOLCHAIN_OPTIONS} -E"
+LD = "${@bb.utils.contains('DISTRO_FEATURES', 'ld-is-lld', '${HOST_PREFIX}ld.lld${TOOLCHAIN_OPTIONS} ${HOST_LD_ARCH}', '${HOST_PREFIX}ld${TOOLCHAIN_OPTIONS} ${HOST_LD_ARCH}', d)}"
+CCLD = "${CCACHE}${HOST_PREFIX}clang ${HOST_CC_ARCH}${TOOLCHAIN_OPTIONS}"
+RANLIB = "${HOST_PREFIX}llvm-ranlib"
+AR = "${HOST_PREFIX}llvm-ar"
+AS = "${HOST_PREFIX}as ${HOST_AS_ARCH}"
+STRIP = "${HOST_PREFIX}llvm-strip"
+OBJCOPY = "${HOST_PREFIX}llvm-objcopy"
+OBJDUMP = "${HOST_PREFIX}llvm-objdump"
+STRINGS = "${HOST_PREFIX}llvm-strings"
+NM = "${HOST_PREFIX}llvm-nm"
+READELF = "${HOST_PREFIX}llvm-readelf"
+PREFERRED_PROVIDER_virtual/${MLPREFIX}cross-cc = "${MLPREFIX}clang-cross-${TARGET_ARCH}"
+PREFERRED_PROVIDER_virtual/${MLPREFIX}cross-c++ = "${MLPREFIX}clang-cross-${TARGET_ARCH}"
+PREFERRED_PROVIDER_virtual/${MLPREFIX}compilerlibs = "${MLPREFIX}gcc-runtime"
+PREFERRED_PROVIDER_virtual/${MLPREFIX}cross-cc:class-nativesdk = "clang-crosssdk-${SDK_SYS}"
+PREFERRED_PROVIDER_virtual/${MLPREFIX}cross-c++:class-nativesdk = "clang-crosssdk-${SDK_SYS}"
+PREFERRED_PROVIDER_virtual/nativesdk-cross-cc:class-crosssdk = "clang-crosssdk-${SDK_SYS}"
+PREFERRED_PROVIDER_virtual/nativesdk-cross-c++:class-crosssdk = "clang-crosssdk-${SDK_SYS}"
+PREFERRED_PROVIDER_virtual/nativesdk-cross-cc:class-cross-canadian = "clang-crosssdk-${SDK_SYS}"
+PREFERRED_PROVIDER_virtual/nativesdk-cross-c++:class-cross-canadian = "clang-crosssdk-${SDK_SYS}"
+BASE_DEFAULT_DEPS:append:class-target = " compiler-rt"
+TUNE_CCARGS += "${@bb.utils.contains("DISTRO_FEATURES", "usrmerge", " --dyld-prefix=/usr", "", d)}"
+LDFLAGS:append:class-nativesdk:x86-64 = " -Wl,-dynamic-linker,${base_libdir}/ld-linux-x86-64.so.2"
+LDFLAGS:append:class-nativesdk:aarch64 = " -Wl,-dynamic-linker,${base_libdir}/ld-linux-aarch64.so.1"
+TCOVERRIDE = "toolchain-clang"
diff --git a/meta/classes/toolchain/gcc-native.bbclass b/meta/classes/toolchain/gcc-native.bbclass
new file mode 100644
index 0000000000..a708bd0389
--- /dev/null
+++ b/meta/classes/toolchain/gcc-native.bbclass
@@ -0,0 +1,15 @@
+BUILD_CC = "${CCACHE}${BUILD_PREFIX}gcc ${BUILD_CC_ARCH}"
+BUILD_CXX = "${CCACHE}${BUILD_PREFIX}g++ ${BUILD_CC_ARCH}"
+BUILD_FC = "${BUILD_PREFIX}gfortran ${BUILD_CC_ARCH}"
+BUILD_CPP = "${BUILD_PREFIX}gcc ${BUILD_CC_ARCH} -E"
+BUILD_LD = "${BUILD_PREFIX}ld ${BUILD_LD_ARCH}"
+BUILD_CCLD = "${BUILD_PREFIX}gcc ${BUILD_CC_ARCH}"
+BUILD_AR = "${BUILD_PREFIX}ar"
+BUILD_AS = "${BUILD_PREFIX}as ${BUILD_AS_ARCH}"
+BUILD_RANLIB = "${BUILD_PREFIX}ranlib -D"
+BUILD_STRIP = "${BUILD_PREFIX}strip"
+BUILD_OBJCOPY = "${BUILD_PREFIX}objcopy"
+BUILD_OBJDUMP = "${BUILD_PREFIX}objdump"
+BUILD_NM = "${BUILD_PREFIX}nm"
+BUILD_READELF = "${BUILD_PREFIX}readelf"
diff --git a/meta/classes/toolchain/gcc.bbclass b/meta/classes/toolchain/gcc.bbclass
new file mode 100644
index 0000000000..a5adb5ca37
--- /dev/null
+++ b/meta/classes/toolchain/gcc.bbclass
@@ -0,0 +1,33 @@
+CC = "${CCACHE}${HOST_PREFIX}gcc ${HOST_CC_ARCH}${TOOLCHAIN_OPTIONS}"
+CXX = "${CCACHE}${HOST_PREFIX}g++ ${HOST_CC_ARCH}${TOOLCHAIN_OPTIONS}"
+FC = "${HOST_PREFIX}gfortran ${HOST_CC_ARCH}${TOOLCHAIN_OPTIONS}"
+CPP = "${HOST_PREFIX}gcc -E${TOOLCHAIN_OPTIONS} ${HOST_CC_ARCH}"
+LD = "${HOST_PREFIX}ld${TOOLCHAIN_OPTIONS} ${HOST_LD_ARCH}"
+CCLD = "${CC}"
+AR = "${HOST_PREFIX}gcc-ar"
+AS = "${HOST_PREFIX}as ${HOST_AS_ARCH}"
+RANLIB = "${HOST_PREFIX}gcc-ranlib"
+STRIP = "${HOST_PREFIX}strip"
+OBJCOPY = "${HOST_PREFIX}objcopy"
+OBJDUMP = "${HOST_PREFIX}objdump"
+STRINGS = "${HOST_PREFIX}strings"
+NM = "${HOST_PREFIX}gcc-nm"
+READELF = "${HOST_PREFIX}readelf"
+PREFERRED_PROVIDER_virtual/${MLPREFIX}cross-cc = "${MLPREFIX}gcc-cross-${TARGET_ARCH}"
+PREFERRED_PROVIDER_virtual/${MLPREFIX}cross-c++ = "${MLPREFIX}gcc-cross-${TARGET_ARCH}"
+PREFERRED_PROVIDER_virtual/${MLPREFIX}compilerlibs = "${MLPREFIX}gcc-runtime"
+PREFERRED_PROVIDER_virtual/${MLPREFIX}cross-cc:class-nativesdk = "gcc-crosssdk-${SDK_SYS}"
+PREFERRED_PROVIDER_virtual/${MLPREFIX}cross-c++:class-nativesdk = "gcc-crosssdk-${SDK_SYS}"
+PREFERRED_PROVIDER_virtual/${MLPREFIX}compilerlibs:class-nativesdk = "nativesdk-gcc-runtime"
+PREFERRED_PROVIDER_virtual/nativesdk-cross-cc:class-crosssdk = "gcc-crosssdk-${SDK_SYS}"
+PREFERRED_PROVIDER_virtual/nativesdk-cross-c++:class-crosssdk = "gcc-crosssdk-${SDK_SYS}"
+PREFERRED_PROVIDER_virtual/nativesdk-compilerlibs:class-crosssdk = "nativesdk-gcc-runtime"
+PREFERRED_PROVIDER_virtual/nativesdk-cross-cc:class-cross-canadian = "gcc-crosssdk-${SDK_SYS}"
+PREFERRED_PROVIDER_virtual/nativesdk-cross-c++:class-cross-canadian = "gcc-crosssdk-${SDK_SYS}"
+PREFERRED_PROVIDER_virtual/nativesdk-compilerlibs:class-cross-canadian = "nativesdk-gcc-runtime"
+TCOVERRIDE = "toolchain-gcc"
diff --git a/meta/classes/vex.bbclass b/meta/classes/vex.bbclass
new file mode 100644
index 0000000000..402d8e0d96
--- /dev/null
+++ b/meta/classes/vex.bbclass
@@ -0,0 +1,303 @@
+#
+# Copyright OpenEmbedded Contributors
+#
+# SPDX-License-Identifier: MIT
+#
+# This class is used to generate metadata needed by external
+# tools to check for vulnerabilities, for example CVEs.
+#
+# In order to use this class just inherit the class in the
+# local.conf file and it will add the generate_vex task for
+# every recipe. If an image is build it will generate a report
+# in DEPLOY_DIR_IMAGE for all the packages used, it will also
+# generate a file for all recipes used in the build.
+#
+# Variables use CVE_CHECK prefix to keep compatibility with
+# the cve-check class
+#
+# Example:
+#   bitbake -c generate_vex openssl
+#   bitbake core-image-sato
+#   bitbake -k -c generate_vex universe
+#
+# The product name that the CVE database uses defaults to BPN, but may need to
+# be overriden per recipe (for example tiff.bb sets CVE_PRODUCT=libtiff).
+CVE_PRODUCT ??= "${BPN}"
+CVE_VERSION ??= "${PV}"
+CVE_CHECK_SUMMARY_DIR ?= "${LOG_DIR}/cve"
+CVE_CHECK_SUMMARY_FILE_NAME_JSON = "cve-summary.json"
+CVE_CHECK_SUMMARY_INDEX_PATH = "${CVE_CHECK_SUMMARY_DIR}/cve-summary-index.txt"
+CVE_CHECK_DIR ??= "${DEPLOY_DIR}/cve"
+CVE_CHECK_RECIPE_FILE_JSON ?= "${CVE_CHECK_DIR}/${PN}_cve.json"
+CVE_CHECK_MANIFEST_JSON ?= "${IMGDEPLOYDIR}/${IMAGE_NAME}.json"
+# Skip CVE Check for packages (PN)
+CVE_CHECK_SKIP_RECIPE ?= ""
+# Replace NVD DB check status for a given CVE. Each of CVE has to be mentioned
+# separately with optional detail and description for this status.
+#
+# CVE_STATUS[CVE-1234-0001] = "not-applicable-platform: Issue only applies on Windows"
+# CVE_STATUS[CVE-1234-0002] = "fixed-version: Fixed externally"
+#
+# Settings the same status and reason for multiple CVEs is possible
+# via CVE_STATUS_GROUPS variable.
+#
+# CVE_STATUS_GROUPS = "CVE_STATUS_WIN CVE_STATUS_PATCHED"
+#
+# CVE_STATUS_WIN = "CVE-1234-0001 CVE-1234-0003"
+# CVE_STATUS_WIN[status] = "not-applicable-platform: Issue only applies on Windows"
+# CVE_STATUS_PATCHED = "CVE-1234-0002 CVE-1234-0004"
+# CVE_STATUS_PATCHED[status] = "fixed-version: Fixed externally"
+#
+# All possible CVE statuses could be found in cve-check-map.conf
+# CVE_CHECK_STATUSMAP[not-applicable-platform] = "Ignored"
+# CVE_CHECK_STATUSMAP[fixed-version] = "Patched"
+#
+# CVE_CHECK_IGNORE is deprecated and CVE_STATUS has to be used instead.
+# Keep CVE_CHECK_IGNORE until other layers migrate to new variables
+CVE_CHECK_IGNORE ?= ""
+# Layers to be excluded
+CVE_CHECK_LAYER_EXCLUDELIST ??= ""
+# Layers to be included
+CVE_CHECK_LAYER_INCLUDELIST ??= ""
+# set to "alphabetical" for version using single alphabetical character as increment release
+CVE_VERSION_SUFFIX ??= ""
+python () {
+    if bb.data.inherits_class("cve-check", d):
+        raise bb.parse.SkipRecipe("Skipping recipe: found incompatible combination of cve-check and vex enabled at the same time.")
+    from oe.cve_check import extend_cve_status
+    extend_cve_status(d)
+}
+def generate_json_report(d, out_path, link_path):
+    if os.path.exists(d.getVar("CVE_CHECK_SUMMARY_INDEX_PATH")):
+        import json
+        from oe.cve_check import cve_check_merge_jsons, update_symlinks
+        bb.note("Generating JSON CVE summary")
+        index_file = d.getVar("CVE_CHECK_SUMMARY_INDEX_PATH")
+        summary = {"version":"1", "package": []}
+        with open(index_file) as f:
+            filename = f.readline()
+            while filename:
+                with open(filename.rstrip()) as j:
+                    data = json.load(j)
+                    cve_check_merge_jsons(summary, data)
+                filename = f.readline()
+        summary["package"].sort(key=lambda d: d['name'])
+        with open(out_path, "w") as f:
+            json.dump(summary, f, indent=2)
+        update_symlinks(out_path, link_path)
+python vex_save_summary_handler () {
+    import shutil
+    import datetime
+    from oe.cve_check import update_symlinks
+    cvelogpath = d.getVar("CVE_CHECK_SUMMARY_DIR")
+    bb.utils.mkdirhier(cvelogpath)
+    timestamp = datetime.datetime.now().strftime('%Y%m%d%H%M%S')
+    json_summary_link_name = os.path.join(cvelogpath, d.getVar("CVE_CHECK_SUMMARY_FILE_NAME_JSON"))
+    json_summary_name = os.path.join(cvelogpath, "cve-summary-%s.json" % (timestamp))
+    generate_json_report(d, json_summary_name, json_summary_link_name)
+    bb.plain("Complete CVE JSON report summary created at: %s" % json_summary_link_name)
+}
+addhandler vex_save_summary_handler
+vex_save_summary_handler[eventmask] = "bb.event.BuildCompleted"
+python do_generate_vex () {
+    """
+    Generate metadata needed for vulnerability checking for
+    the current recipe
+    """
+    from oe.cve_check import get_patched_cves
+    try:
+        patched_cves = get_patched_cves(d)
+        cves_status = []
+        products = d.getVar("CVE_PRODUCT").split()
+        for product in products:
+            if ":" in product:
+                _, product = product.split(":", 1)
+            cves_status.append([product, False])
+    except FileNotFoundError:
+        bb.fatal("Failure in searching patches")
+    cve_write_data_json(d, patched_cves, cves_status)
+}
+addtask generate_vex before do_build
+python vex_cleanup () {
+    """
+    Delete the file used to gather all the CVE information.
+    """
+    bb.utils.remove(e.data.getVar("CVE_CHECK_SUMMARY_INDEX_PATH"))
+}
+addhandler vex_cleanup
+vex_cleanup[eventmask] = "bb.event.BuildCompleted"
+python vex_write_rootfs_manifest () {
+    """
+    Create VEX/CVE manifest when building an image
+    """
+    import json
+    from oe.rootfs import image_list_installed_packages
+    from oe.cve_check import cve_check_merge_jsons, update_symlinks
+    deploy_file_json = d.getVar("CVE_CHECK_RECIPE_FILE_JSON")
+    if os.path.exists(deploy_file_json):
+        bb.utils.remove(deploy_file_json)
+    # Create a list of relevant recipies
+    recipies = set()
+    for pkg in list(image_list_installed_packages(d)):
+        pkg_info = os.path.join(d.getVar('PKGDATA_DIR'),
+                                'runtime-reverse', pkg)
+        pkg_data = oe.packagedata.read_pkgdatafile(pkg_info)
+        recipies.add(pkg_data["PN"])
+    bb.note("Writing rootfs VEX manifest")
+    deploy_dir = d.getVar("IMGDEPLOYDIR")
+    link_name = d.getVar("IMAGE_LINK_NAME")
+    json_data = {"version":"1", "package": []}
+    text_data = ""
+    save_pn = d.getVar("PN")
+    for pkg in recipies:
+        # To be able to use the CVE_CHECK_RECIPE_FILE_JSON variable we have to evaluate
+        # it with the different PN names set each time.
+        d.setVar("PN", pkg)
+        pkgfilepath = d.getVar("CVE_CHECK_RECIPE_FILE_JSON")
+        if os.path.exists(pkgfilepath):
+            with open(pkgfilepath) as j:
+                data = json.load(j)
+                cve_check_merge_jsons(json_data, data)
+        else:
+            bb.warn("Missing cve file for %s" % pkg)
+    d.setVar("PN", save_pn)
+    link_path = os.path.join(deploy_dir, "%s.json" % link_name)
+    manifest_name = d.getVar("CVE_CHECK_MANIFEST_JSON")
+    with open(manifest_name, "w") as f:
+        json.dump(json_data, f, indent=2)
+    update_symlinks(manifest_name, link_path)
+    bb.plain("Image VEX JSON report stored in: %s" % manifest_name)
+}
+ROOTFS_POSTPROCESS_COMMAND:prepend = "vex_write_rootfs_manifest; "
+do_rootfs[recrdeptask] += "do_generate_vex "
+do_populate_sdk[recrdeptask] += "do_generate_vex "
+def cve_write_data_json(d, cve_data, cve_status):
+    """
+    Prepare CVE data for the JSON format, then write it.
+    Done for each recipe.
+    """
+    from oe.cve_check import get_cpe_ids
+    import json
+    output = {"version":"1", "package": []}
+    nvd_link = "https://nvd.nist.gov/vuln/detail/"
+    fdir_name  = d.getVar("FILE_DIRNAME")
+    layer = fdir_name.split("/")[-3]
+    include_layers = d.getVar("CVE_CHECK_LAYER_INCLUDELIST").split()
+    exclude_layers = d.getVar("CVE_CHECK_LAYER_EXCLUDELIST").split()
+    if exclude_layers and layer in exclude_layers:
+        return
+    if include_layers and layer not in include_layers:
+        return
+    product_data = []
+    for s in cve_status:
+        p = {"product": s[0], "cvesInRecord": "Yes"}
+        if s[1] == False:
+            p["cvesInRecord"] = "No"
+        product_data.append(p)
+    product_data = list({p['product']:p for p in product_data}.values())
+    package_version = "%s%s" % (d.getVar("EXTENDPE"), d.getVar("PV"))
+    cpes = get_cpe_ids(d.getVar("CVE_PRODUCT"), d.getVar("CVE_VERSION"))
+    package_data = {
+        "name" : d.getVar("PN"),
+        "layer" : layer,
+        "version" : package_version,
+        "products": product_data,
+        "cpes": cpes
+    }
+    cve_list = []
+    for cve in sorted(cve_data):
+        issue_link = "%s%s" % (nvd_link, cve)
+        cve_item = {
+            "id" : cve,
+            "status" : cve_data[cve]["abbrev-status"],
+            "link": issue_link,
+        }
+        if 'NVD-summary' in cve_data[cve]:
+            cve_item["summary"] = cve_data[cve]["NVD-summary"]
+            cve_item["scorev2"] = cve_data[cve]["NVD-scorev2"]
+            cve_item["scorev3"] = cve_data[cve]["NVD-scorev3"]
+            cve_item["scorev4"] = cve_data[cve]["NVD-scorev4"]
+            cve_item["vector"] = cve_data[cve]["NVD-vector"]
+            cve_item["vectorString"] = cve_data[cve]["NVD-vectorString"]
+        if 'status' in cve_data[cve]:
+            cve_item["detail"] = cve_data[cve]["status"]
+        if 'justification' in cve_data[cve]:
+            cve_item["description"] = cve_data[cve]["justification"]
+        if 'resource' in cve_data[cve]:
+            cve_item["patch-file"] = cve_data[cve]["resource"]
+        cve_list.append(cve_item)
+    package_data["issue"] = cve_list
+    output["package"].append(package_data)
+    deploy_file = d.getVar("CVE_CHECK_RECIPE_FILE_JSON")
+    write_string = json.dumps(output, indent=2)
+    cvelogpath = d.getVar("CVE_CHECK_SUMMARY_DIR")
+    index_path = d.getVar("CVE_CHECK_SUMMARY_INDEX_PATH")
+    bb.utils.mkdirhier(cvelogpath)
+    bb.utils.mkdirhier(os.path.dirname(deploy_file))
+    fragment_file = os.path.basename(deploy_file)
+    fragment_path = os.path.join(cvelogpath, fragment_file)
+    with open(fragment_path, "w") as f:
+        f.write(write_string)
+    with open(deploy_file, "w") as f:
+        f.write(write_string)
+    with open(index_path, "a+") as f:
+        f.write("%s\n" % fragment_path)
diff --git a/meta/classes/yocto-check-layer.bbclass b/meta/classes/yocto-check-layer.bbclass
deleted file mode 100644
index 404f5fd9f2..0000000000
--- a/meta/classes/yocto-check-layer.bbclass
+++ /dev/null
@@ -1,22 +0,0 @@
-#
-# Copyright OpenEmbedded Contributors
-#
-# SPDX-License-Identifier: MIT
-#
-#
-# This class is used by yocto-check-layer script for additional per-recipe tests
-# The first test ensures that the layer has no recipes skipping 'installed-vs-shipped' QA checks
-#
-WARN_QA:remove = "installed-vs-shipped"
-ERROR_QA:append = " installed-vs-shipped"
-python () {
-    packages = set((d.getVar('PACKAGES') or '').split())
-    for package in packages:
-        skip = set((d.getVar('INSANE_SKIP') or "").split() +
-                   (d.getVar('INSANE_SKIP:' + package) or "").split())
-        if 'installed-vs-shipped' in skip:
-            oe.qa.handle_error("installed-vs-shipped", 'Package %s is skipping "installed-vs-shipped" QA test.' % package, d)
-}